Saviynt Forums

rmomin3 · ‎04/03/2024

While trying to create or update account in AD if user's manager account does not exists, the task fails with below error codes for manager attribute value:

JSON for Manager attribute: "manager": "${if(managerAccount == null){''} else {managerAccount?.comments}}"

Logs:
Creating Account dn-CN=test user3,OU=External Accounts,OU=User Directory,DC=######,DC=com Datamap--[manager:,sAMAccountName:poc.testuser3,givenname:test,accountExpires:0,displayname:test user3,name:test user3,objectClass:[top, person, organizationalPerson, user],UnicodePwd:****,cn:test user3,sn:user3,userAccountControl:512,pwdLastSet:0,]

Error: Error while creating account in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C09114B, comment: Error in attribute conversion operation, data 0, v4563

-------------------------------------------------------------------------------------------------------------------------------------

JSON for Manager attribute: "manager": "${managerAccount?.comments}"

Logs:
Creating Account dn-CN=test user3,OU=External Accounts,OU=User Directory,DC=######,DC=com Datamap--[manager:null,sAMAccountName:poc.testuser3,givenname:test,accountExpires:0,displayname:test user3,name:test user3,objectClass:[top, person, organizationalPerson, user],UnicodePwd:****,cn:test user3,sn:user3,userAccountControl:512,pwdLastSet:0,]

Error: Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1: 0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)

-------------------------------------------------------------------------------------------------------------------------------------

Provisioning works fine if the managerAccount exists.

The only solution to this is using custom map using JSON builder through entire custom code which works for Create account. The only problem is when I use the same custom map for Update Account JSON and if the manager is null or the manager account no longer exist, instead of clearing out the manager attribute in AD, it remains the same because of the if condition to check if managerAccount exist. If I don't use the if condition, then again it fails with either error-19 or error-21 depending on whether I pass null value or empty value.

Raghu · ‎04/03/2024

can you try below :

"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' ){''} else {managerAccount?.comments} }"

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rmomin3 · ‎04/03/2024

@Raghu Thanks for you response. I tried with that as well and getting.

2024-04-03 13:20:05,206 [quartzScheduler_Worker-6] DEBUG println.PrintlnToLogger - Println :: [1;31m| Error [22;39mjavax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C0910CF, comment: Error in attribute conversion operation, data 0, v3839 ]; remaining name 'CN=XXXX,CN=Users,DC=XXXX,DC=XXXX,DC=XXXX'[m

Raghu · ‎04/03/2024

try like below

if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager', managerAccount.comments.replace('\\', '###UNESCAPEBACKSLASH###'));
}

or try again below also

"manager": "${ if(managerAccount == null || managerAccount.comments == null || managerAccount.comments == '' ){''} else {managerAccount.comments} }"

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rmomin3 · ‎04/03/2024

@Raghu , it works fine when there is a manager with Active AD account. It fails with the error I mention, when we try to provision/update account in AD if manager is null or manager doesn't have AD account.

With your logic, the if condition will be false so it doesn't send the manager attribute in the request to AD and the manager remains same as before.

Raghu · ‎04/03/2024

if manager object null , i belive managerAccount object also not work. it is associated with manager object only

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rmomin3 · ‎04/03/2024

Even if you assign a manager who does not have an AD account, it still give same issue. The issue is that this can be a valid case where manager account doesn't exist if a user's manager is terminated and new manager hasn't been assigned and HR sends null value for time being.

I have access to another tenants which is on EIC v23.x and v24.x and there we are passing "manager": "${managerAccount?.comments}". It is actually not passing the manager attribute in the request to AD since managerAccount is null but seems with 5.5 SP3.x it passes null value to AD for manager attribute.

rushikeshvartak · ‎04/03/2024

"manager": "${managerAccount != null ? managerAccount?.comments : ''}"

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Raghu · ‎04/04/2024

it is expected behavior right, why bez manager is mandatory field user creation it self .

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rmomin3 · ‎04/04/2024

@rushikeshvartak I have tried this as well, it still doesn't work. Getting error-21

rushikeshvartak · ‎04/04/2024

Please check there are no duplicate accounts in endpoint

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Active Directory AD Account Create Update passing null Manager Attribute fails