Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:18 PM
Hi Team,
We are using Saviynt V 5.5 SP3 & have AD connector configured.
In AD connection - Account name rule is configured for generating DN based on display name of the user.
Displaname- first name + last name
User gets created in AD successfully with DN as Displaname in it.
Issue -
When there is a duplicate user (with same first name & last name) is created , then it tries to create two records with same displayname.
After running AD recon - the new account gets deleted from target & Status in Saviynt as SUSPENDED from IMPORT
Can anyone please guide how to generate Unique DN in the account name rule ?
Thanks,
Sitarasmi
Solved! Go to Solution.
04/12/2022 02:54 PM
Hi Sitarasmi,
Active Directory or any LDAP compliant system will not allow you to create two users with the same DN.
In your case, the second user will not get created at all.
The AD Documentation has the samples on how to use the ACCOUNTNAMERULE to generate a unique DN.
https://saviynt.freshdesk.com/a/solutions/articles/43000615764
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
Hi Aviansh,
Thanks for the link. But I have already gone though this, still unable to get how to generate unique DN for duplicate entries.
We are using below sample code in AD accountname rule -
if( (user?.employeeType.equals('Third Party'))) )
{'CN='+user?.displayname+',OU=Third Party,OU=abc,DC=def,DC=com'}
Please suggest how we can modify above to generate DN for duplicate displayname ?
Thanks,
Sitarasmi
04/12/2022 02:54 PM
Hi Sitarasmi,
The modification will be based on your requirement. From the above sample code, you can just add multiple rules separated by ### having incremented CN values if a match is already available, example :
{'CN='+user?.displayname+'1,OU=Third Party,OU=abc,DC=def,DC=com'}
Regards,
Sahaj
04/12/2022 02:54 PM
Thanks Sahaj, Will try as suggested .
Regards
Sitarasmi
04/12/2022 02:54 PM
Hi Sahaj,
We tried adding new rules separated by ### as below. There was no parsing error.
if( (user?.employeeType.equals('Third Party Supplier')) )
{'CN='+user?.displayname+',OU=abc,OU=def,DC=com'+'###'+'CN='+user?.displayname+'1,OU=abc,OU=def,DC=com'}
But still facing the same issue.
Unable to create AD accounts having duplicate displayname. Kindly suggest.
Thanks,
Sitarasmi
04/12/2022 02:54 PM
Hello Sitarasmi,
As per the document link I shared earlier and what Sahaj has suggested, the syntax that you are using is incorrect.
The separator ### should be used to separate out individual DN's. Here's a simplified version of the logic for your understanding.
CN=${user.username},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '1'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '2'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '3'},OU=Org1,DC=Domain1,DC=org
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
Hi Avinash,
We tried below query as well, still same behaviour.
CN=${user.username},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '1'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '2'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '3'},OU=Org1,DC=Domain1,DC=org
Could you please suggest.
Thanks,
Sitarasmi
04/12/2022 02:54 PM
Sitarasmi,
Please check/share the full logs from the provisioning run.
Regards,
Avinash Chhetri