Access Fulfillment Express (AFX) AD LDAP connector fails to remove AD account with error "Not Allowed On Non-leaf" in RSA Identity Governance and Lifecycle 7.x
Originally Published: 2018-11-08
Article Number
Applies To
RSA Version/Condition: 7.0.2, 7.1.0
Issue
- The RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) AD LDAP connector fails to remove an AD account.
- This issue occurs for accounts that have Microsoft ActiveSync enabled which causes the AD account object to have a leaf object.
- The /home/oracle/AFX/esb/logs/esb.AFX-SETTINGS-ActiveDirectory.log shows the following error message:
2018-11-07 13:47:39.351 [ERROR] org.mule.transport.ldapx.LdapxConnector:337 - Error: LDAPException: Not Allowed On Non-leaf (66) Not Allowed On Non-leaf
LDAPException: Server Message: 00002015: UpdErr: DSID-031A1226, problem 6003 (CANT_ON_NON_LEAF), data 0
LDAPException: Matched DN:Cause
- This is a known limitation of the Active Directory LDAP Connector when provisioning over the LDAP protocol to Microsoft Active Directory.
- This is a limitation of Microsoft Active Directory when using LDAP, this is not a limitation of the RSA Identity Governance & Lifecycle product.
Resolution
RSA Identity Governance & Lifecycle does allow you to use different types of connectors for provisioning to Microsoft using PowerShell. The Microsoft Exchange 2007, Microsoft Exchange 2010, Microsoft Exchange 2013 and the Office365 connectors all leverage PowerShell to provision against Microsoft products. In addition the Generic SSH connector can be configured to use PowerShell for provisioning to Microsoft. These are advanced connectors however and they may require customization or advanced configuration to achieve your business objectives. They do not directly replace the Active Directory LDAP Connector, they are different connectors that may be used to achieve different purposes. Customers not familiar with connector design and Microsoft PowerShell scripting should contact RSA Professional Services for assistance in designing a custom connector for this purpose.
Workaround
Alternatively customers have used techniques to disable the account and then move the account to an OU outside of the collection. The account can them be deleted out of band.
Related Articles
RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) reports this item failed: password does not meet comp… Number of Views The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail to establish a TLS 1.2 SSL conn… Number of Views RSA Governance & Lifecycle Recipes: Report - AD Account to User Summary Number of Views RSA Governance & Lifecycle Recipes: Chart - AD Account to User Summary Number of Views How to remove entitlements of a decommissioned application from user access in RSA Via Lifecycle and Governance Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
