Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

How to generate unique Active Directory DN for duplicate users

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 24 2021 at 15:31 UTC

Hi Team,


We are using Saviynt V 5.5 SP3 & have AD connector configured.


In AD connection - Account name rule is configured for generating DN based on display name of the user.


Displaname- first name + last name


User gets created in AD successfully with DN as Displaname in it.


Issue - 


When there is a duplicate user (with same first name & last name) is created , then it tries to create two records with same displayname. 


After running AD recon - the new account gets deleted from target & Status in Saviynt as SUSPENDED from IMPORT


Can anyone please guide how to generate Unique DN in the account name rule ?


Thanks,

Sitarasmi



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
8 REPLIES 8

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 24 2021 at 16:26 UTC

Hi Sitarasmi,


Active Directory or any LDAP compliant system will not allow you to create two users with the same DN.

In your case, the second user will not get created at all.


The AD Documentation has the samples on how to use the ACCOUNTNAMERULE to generate a unique DN.

https://saviynt.freshdesk.com/a/solutions/articles/43000615764





Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 25 2021 at 08:30 UTC

Hi Aviansh,


Thanks for the link. But I have already gone though this, still unable to get how to generate unique DN for duplicate entries.


We are using below sample code in AD accountname rule - 


if( (user?.employeeType.equals('Third Party'))) )

{'CN='+user?.displayname+',OU=Third Party,OU=abc,DC=def,DC=com'} 


Please suggest how we can modify above to generate DN for duplicate displayname ?


Thanks,

Sitarasmi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 29 2021 at 06:29 UTC

Hi Sitarasmi,


The modification will be based on your requirement. From the above sample code, you can just add multiple rules separated by ### having incremented CN values if a match is already available, example  :
{'CN='+user?.displayname+'1,OU=Third Party,OU=abc,DC=def,DC=com'}



Regards,

Sahaj  

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 29 2021 at 07:21 UTC

Thanks Sahaj, Will try as suggested .


Regards

Sitarasmi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 30 2021 at 10:05 UTC

Hi Sahaj,


We tried adding new rules separated by ### as below.  There was no parsing error.


if( (user?.employeeType.equals('Third Party Supplier')) )

{'CN='+user?.displayname+',OU=abc,OU=def,DC=com'+'###'+'CN='+user?.displayname+'1,OU=abc,OU=def,DC=com'}  


But still facing the same issue. 


Unable to create AD accounts having duplicate displayname. Kindly suggest.



Thanks,

Sitarasmi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 30 2021 at 15:35 UTC

Hello Sitarasmi,


As per the document link I shared earlier and what Sahaj has suggested, the syntax that you are using is incorrect.


The separator ### should be used to separate out individual DN's. Here's a simplified version of the logic for your understanding.


CN=${user.username},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '1'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '2'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '3'},OU=Org1,DC=Domain1,DC=org




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 15 2021 at 11:32 UTC

Hi Avinash,


We tried below query as well, still same behaviour.


CN=${user.username},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '1'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '2'},OU=Org1,DC=Domain1,DC=org###CN=${user.username + '3'},OU=Org1,DC=Domain1,DC=org


Could you please suggest. 


Thanks,

Sitarasmi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 15 2021 at 14:44 UTC

Sitarasmi,


Please check/share the full logs from the provisioning run.




Regards,

Avinash Chhetri


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.