Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/10/2023 08:57 AM - edited 08/23/2024 11:02 AM
AD is one of the most commonly used connector. This article provides best practices for configuring AD connector
All versions
Sample JSON for the Accounts Import -
[ACCOUNTID::objectGUID#String,
NAME::sAMAccountName#String,
DISPLAYNAME::name#String,
RECONCILATION_FIELD::ACCOUNTID]
Sample JSON for Group Import -
{
"entitlementTypeName": "",
"performGroupAccountLinking": "true",
"importnestedmembershipoutofscope": "true",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"mapping":"memberHash:member_char,customProperty1:sAMAccountType_char,customProperty2:instanceType_char,customProperty3:uSNCreated_char,customProperty4:groupType_char,customProperty5:dSCorePropagationData_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whenCreated_date,customProperty15:managedBy_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectCategory_char,customProperty11:sAMAccountName_char,entitlement_value:distinguishedName_char,entitlementid:distinguishedName_char,customProperty14:objectClass_char,updatedate:whenChanged_date,customPropErty17:distinguishedName_char,RECONCILATION_FIELD:customProperty18,customProperty18:objectGUID_Binary,
"tableFieldAttribute": "accountID"
}
CREATED_ON::whenCreated#date,UPDATEDATE::whenChanged#date
Better performance and ease of maintenance
Hi @Rishi i am onboarding an LDAP application to manage group lifecycle and group access provisioning/reconciliation. Assuming it will follow the similar kind of setup as "AD". i have few questions/doubts here if you can look into and respond
1) In the provisioning job execution i see this line in logs "You must have objectGUID or objectSID present in ACCOUNT_ATTRIBUTE as a Reconcilation_Field".
objectGUID or objectSID is not present in LDAP but we have entryUUID which is unique for all LDAP accounts. Is it ok to use this attribute or its mandatory to have one of them (objectGUID or objectSID).
2) while provisioning users access to a ldap group i am getting this exception in logs
"java.lang.NullPointerException: Cannot invoke method toUpperCase() on null object"
what could be the issue here? Few of the log lines printed in given sequence from bottom to top
Exception |
java.lang.NullPointerException: Cannot invoke method toUpperCase() on null object at com.saviynt.ldap.SaviyntGroovyLdapService$_printBindingMap_closure43.doCall(SaviyntGroovyLdapService.groovy:5213) at com.saviynt.ldap.SaviyntGroovyLdapService.printBindingMap(SaviyntGroovyLdapService.groovy:5207) at com.saviynt.ldap.SaviyntGroovyLdapService$_provisionAccessToAccountGLDAP_closure4.doCall(SaviyntGroovyLdapService.groovy:1329) at com.saviynt.ldap.SaviyntGroovyLdapService.provisionAccessToAccountGLDAP(SaviyntGroovyLdapService.groovy:1242) at com.saviynt.ecm.services.ArsTaskService.provisionAccessToAccounttarget(ArsTaskService.groovy:11452) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsOneAddAccess_closure45.doCall(ArsTaskHelperService.groovy:2794) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsOneAddAccess(ArsTaskHelperService.groovy:2785) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:165) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546) |
Inside getAttrUsingGUIDorSID method |
Enter getLDAPContext |
calling executeRequestWithTimeoutConfig for api... |
calling api... |
Enter acquireLDAPContext |
Setting default timeout |
Env Properties in IMPORTJSON: null |
enable_dclocator = false |
Exit getLDAPContext |
called api... |
timeout validated for api... |
got response for api... |
You must have objectGUID or objectSID present in ACCOUNT_ATTRIBUTE as a Reconcilation_Field |
Result size= 0 |
Query to update Account DN Attr: Select accountID from ACCOUNTS WHERE ACCOUNTKEY={userkey} |
Enter getAssignedGroups |
@Rishi can we some writeup for AD service Account Management?
@Manu269 sure, we will publish an article on service Account Management
can we know the incremental config for user import. The above config is not working for user import
Hi @trivi just use the CREATEDATE and UPDATEDATE configuration in USER_ATTRIBUTE configuration. that's it.