You are attempting to add or update the mail attribute with a value that is already used by another user in AD. The mail attribute needs to be unique across the forest.
Thinking about it, and if i remember correctly, the mail attribute doesn’t actually need to be unique. The error may be in another attribute that you are sending, but the error just returns the first attribute which may or may not be causing the constraint violation. Maybe post the attribute map for this user?
Things to look at: sAMAccountName is unique and no more than 20 characters, manager value is an existing DN, countryCode is a supported value, mailNickname is unique, userPrincipalName is unique. Not an exhaustive list, just some things that can cause constraint violations
By looking at the log, it seems the error occurring during attribute sync. Please share the list of attributes which are enabled attribute sync and it may help to narrow down the issue. Also you can check are there multiple sync events for the same attribute for a same account and verify whether the attributes got updated though you have an error. You need to see whether the issue is due to the updated account is not aggregated into SailPoint hence attribute sync keep trying the update process.
Some common scenarios for this error,
Uniqueness - check is there any account already exists with the unique attributes like sAMAccountName
Exceeding Attribute Limitation - If any of the identity attribute(s) data exceeds max length of account attribute.
Delayed Sync: Account might got updated in AD but the latest data not synced back to SailPoint.
I assume the issue might be due to #2 or #3 since the error is only for few accounts.
Just check whether for all your mentioned attributes for whom you have enabled the attribute sync, are there any constraints that has been put by AD team?
Means, is there any length limitations, any predefined rules on any attributes etc. Once you find out that
Also, while testing this scenario, is there any OU movement or CN change happening around same thread for the user? If that is the case, then, there might be some delay in it because OU movements or CN changes takes some time for AD connector to reflect into ISC.
Also, Go to ISC tenant –> Identity Management –> Identities. Search for your identity, open your identity –> go to Events and check which are the Modify Account Events specific to AD that has FAILED.
As @j_place said, the mail attribute is not in the list and your initial error is on mail attribute. Is it something you enabled attr-sync earlier and disabled now? Does the issue occur now?
Anyway, here is a debugging steps and please do it in SB.
Get the data of all these identity attributes from the erroring identity and one of succeeded identity and compare the length of each identity attribute value.
Enable the attribute sync only for those attributes one by one.
It will error out when the length is exceeding the account attributes limitation. Since you are enabling one attribute sync at a time, you can easily find the attribute.
On your questions,
What will be the solution if sync is delayed ? Mostly it will be taken care by the connector itself. This is an exceptional issue and it occurs due to resource unavailability like if AD is not responding frequently.
what will be the attribute limitation ?
You need to verify the Active Directory documentation for the predefined attributes and check with AD team on custom attributes.