An Active Directory (AD) import may fail with the following error message:
"org.springframework.dao.DataIntegrityViolationException: could not execute statement; SQL [n/a]; constraint [externalIdAndInstanceKey]; nested exception is org.hibernate.exception.ConstraintViolationException: could not execute statement"
- Directories
- Imports
- AD Groups
This error message would appear during the "processObjects" phase of either incremental or full imports.
The root cause for this error is that a Universal AD group (either a Distribution or Security group) has been migrated from one child domain to a different child domain in the same forest, though the group has not yet been deleted from Okta's internal record of the former domain.
The migrated group will have a new objectSID in the new domain, but the original objectGUID will remain intact.
This distinction is important due to the way Okta internally stores AD Groups. Groups having the same objectGUID would result in a duplicate entry for a unique datapoint, and are not allowed.
To resolve this issue, the group must be removed from the Okta records of the original domain and then imported as new into the migrated domain.
- Verify the group no longer exists in the original domain in AD.
- Perform a full import of the group's original domain.
- Confirm the Group no longer exists in Okta using the group description as a guide/locator.
- Once confirmed, perform a full import of the new domain.
