Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
687
Views
0
Helpful
0
Comments

After an upgrade to Cisco CallManager 4.x, cannot modify users in the Active Directory or update device associations with Cisco CallManager Administration, which results in the "1009: Could not update user" violation constraint error message

TCC_2
Level 10
Level 10

‎06-18-2009 03:59 PM - edited ‎03-12-2019 08:24 AM

Core Issue

The defect is observed in these two conditions:

  • This can occur when the GUID is appended to an existing account that does not have the GUID, which means that the user is originally configured with a previous version of Cisco CallManager. For example, when the user profile Directory Number (DN) or the application profile DN does not contain the GUID appended in the end, but the ciscoAtGUID attribute is populated for the user or vice versa.

    Consider the user profile and application profile DN to be as shown:
       
    • cn=user-Profile-{GUID}, ou=profiles,ou=CCN,o=cisco.com

    • cn=user-CCNProfile-{GUID}, ou=profiles,ou=CCN,o=cisco.com
       
    Every time a user is modified, the ciscoAtUserProfile and ciscoAtAppProfile attribute are created again and updated for the user. If the ciscoAtGUID attribute is not present, the new user profile DN is created as shown:
       
    • cn=user-Profile, ou=profiles,ou=CCN,o=cisco.com

    • cn=user-CCNProfile, ou=profiles,ou=CCN,o=cisco.com
       
    Since these DNs do not exist in the directory, a constraint violation error is thrown, and the user update fails.

  • This behavior also occurs when an attempt is made to update a device association for a user that is renamed in the Active Directory (AD). For example, the DNs do not contain the GUID attribute, but the ciscoAtGUID attribute is populated.

Resolution

See if the users that experience the issue are renamed in the AD. If yes, rename the user back to the original user ID. If the same issue still occurs, complete these steps:

  1. Launch ADSIEdit in order to look directly at the attributes in the AD for the user in question.   

  2. Navigate to the CN=user1,OU=evt,OU=avvid,DC=irvine,DC=com entry. Right click the object, and choose Properties. Under Select a property to view, select the ciscoatGUID. Take a backup of the value present for the ciscoatGUID attribute for this user. In order to do this, save the ciscoatGUID value in Notepad so that it can be put back, if required.   

       
  3. Remove the value present for the ciscoAtGUID attribute, from these three entries in the AD server:   

    • CN=user1-profile,OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com       

             
    • CN=user1-CCNProfile,OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com       

             
    • CN=user1,OU=evt,OU=avvid Unit,DC=irvine,DC=com    

  4. Try to associate a device to the user1 user from the Cisco CallManager pages.

In order to resolve the second condition, complete these steps:

  1. Launch ADSIEdit in order to directly look at the attributes in the AD for the user in question.   

       
  2. Navigate to the CN=user1,OU=evt,OU=avvid,DC=irvine,DC=com entry. Right click the object, and choose Properties. Under Select a property to view, select the ciscoatGUID.   

       
  3. Clear the current value present for the ciscoAtGUID attribute.   

       
  4. Choose the ciscoatUserProfile attribute for the same user, and clear it as well.   

       
  5. Choose the ciscoatUserProfileString attribute for the same user, and clear it.   

       
  6. (Optional) For housekeeping, delete the orphan profile entries for the user from the Cisco OU, such as OU=profiles, OU=CCN,OU=Cisco,DC=irvine,DC=com.   

    For example, if olduser1 is renamed to user1, the entries in the Cisco OU that start with user1 or olduser1 can be deleted. The new ones are recreated when the new device association is done. Refer to these examples:  

    • CN=olduser1-profile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com       

    • CN=olduser1-CCNProfile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com       

             
    • CN=user1-CCNProfile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com
      

       

  7. Try to associate a device to the user1 user from the Cisco CallManager Administrator pages.

      

    Note: The resolution steps for condition two also resolve the first condition, because they remove all the Cisco CallManager-specific information with regard to this user in the AD.  

This problem can also be resolved with an upgrade of the Cisco CallManager to any of these versions:

  • 003.003(004.134)   

       
  • 004.001(002.079)   

       
  • 004.001(002.080)   

       
  • 04.0(02a)ES21   

       
  • 04.1(02)ES13.   

       

Refer to Cisco Downloads in order to download the Cisco CallManager versions.

This problem is tracked in Cisco bug ID CSCeg34036.

Refer to Active Directory and Cisco CallManager Integration Troubleshooting Guide for more information.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents