SailPoint ISC LDAP Generic Connector Error 65 - Moving OUD Accounts Between OUs

Hi guys,

I’m facing an issue when trying to move disabled accounts to a different OU in Oracle Unified Directory (OUD) LDAP through SailPoint IdentityNow.

Current scenario:

• Source OU: ou=users,dc=company,dc=com,dc=br
• Target OU: ou=disabled,dc=company,dc=com,dc=br
• Need to move accounts when lifecycle state changes to inactive

I’ve tried Provisioning Policy with AC_NewParent (failed - not supported in OUD LDAP) using DN attribute with “Set” operation (failed - schema violation)

Error message in SailPoint events: LDAP error code 65 - Entry cannot be modified because the resulting entry would have violated the server schema

Oracle OUD documentation suggests using “moddn” operation for moving entries between OUs.

Has anyone successfully implemented this in OUD LDAP via Provisioning Policy in SailPoint IDN? What’s the best approach - BeforeProvisioning Rule with ModifyDN or another method?

Your experience and guidance would be really appreciated.

Thanks in advance.

@drandy You can use the before provisioning rule with ModifyDN since LDAP does not support AC_NewParent. I have already tried and it’s working fine for me.

Hope this Helps.

Hi @Santhakumar, thank you so much for clarifying the ModifyDN approach for LDAP OU movement.

I have requested the “Services Standard Before Provisioning rule” deployment through SailPoint support team. If I understand SailPoint’s cloud guidelines correctly, this is a template rule that will require an additional custom rule implementing the ModifyDN operation for my specific OU movement requirement (disabled). I just wanted to confirm if this is the correct understanding of the process.

Best Regards.