and more in a single search tool across platforms. Read the announcement here. |
04/03/2024 05:26 AM
While trying to create or update account in AD if user's manager account does not exists, the task fails with below error codes for manager attribute value:
JSON for Manager attribute: "manager": "${if(managerAccount == null){''} else {managerAccount?.comments}}"
Logs:
Creating Account dn-CN=test user3,OU=External Accounts,OU=User Directory,DC=######,DC=com Datamap--[manager:,sAMAccountName:poc.testuser3,givenname:test,accountExpires:0,displayname:test user3,name:test user3,objectClass:[top, person, organizationalPerson, user],UnicodePwd:****,cn:test user3,sn:user3,userAccountControl:512,pwdLastSet:0,]
Error: Error while creating account in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C09114B, comment: Error in attribute conversion operation, data 0, v4563
-------------------------------------------------------------------------------------------------------------------------------------
JSON for Manager attribute: "manager": "${managerAccount?.comments}"
Logs:
Creating Account dn-CN=test user3,OU=External Accounts,OU=User Directory,DC=######,DC=com Datamap--[manager:null,sAMAccountName:poc.testuser3,givenname:test,accountExpires:0,displayname:test user3,name:test user3,objectClass:[top, person, organizationalPerson, user],UnicodePwd:****,cn:test user3,sn:user3,userAccountControl:512,pwdLastSet:0,]
Error: Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1: 0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
-------------------------------------------------------------------------------------------------------------------------------------
Provisioning works fine if the managerAccount exists.
The only solution to this is using custom map using JSON builder through entire custom code which works for Create account. The only problem is when I use the same custom map for Update Account JSON and if the manager is null or the manager account no longer exist, instead of clearing out the manager attribute in AD, it remains the same because of the if condition to check if managerAccount exist. If I don't use the if condition, then again it fails with either error-19 or error-21 depending on whether I pass null value or empty value.
04/03/2024 05:41 AM
can you try below :
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' ){''} else {managerAccount?.comments} }"
04/03/2024 06:26 AM - edited 04/03/2024 06:35 AM
@Raghu Thanks for you response. I tried with that as well and getting.
2024-04-03 13:20:05,206 [quartzScheduler_Worker-6] DEBUG println.PrintlnToLogger - Println :: [1;31m| Error [22;39mjavax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C0910CF, comment: Error in attribute conversion operation, data 0, v3839 ]; remaining name 'CN=XXXX,CN=Users,DC=XXXX,DC=XXXX,DC=XXXX'[m
04/03/2024 07:23 AM - edited 04/03/2024 07:28 AM
try like below
if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager', managerAccount.comments.replace('\\', '###UNESCAPEBACKSLASH###'));
}
or try again below also
"manager": "${ if(managerAccount == null || managerAccount.comments == null || managerAccount.comments == '' ){''} else {managerAccount.comments} }"
04/03/2024 07:28 AM
@Raghu , it works fine when there is a manager with Active AD account. It fails with the error I mention, when we try to provision/update account in AD if manager is null or manager doesn't have AD account.
With your logic, the if condition will be false so it doesn't send the manager attribute in the request to AD and the manager remains same as before.
04/03/2024 07:30 AM
if manager object null , i belive managerAccount object also not work. it is associated with manager object only
04/03/2024 07:57 AM - edited 04/03/2024 08:19 AM
Even if you assign a manager who does not have an AD account, it still give same issue. The issue is that this can be a valid case where manager account doesn't exist if a user's manager is terminated and new manager hasn't been assigned and HR sends null value for time being.
I have access to another tenants which is on EIC v23.x and v24.x and there we are passing "manager": "${managerAccount?.comments}". It is actually not passing the manager attribute in the request to AD since managerAccount is null but seems with 5.5 SP3.x it passes null value to AD for manager attribute.
04/03/2024 08:02 PM
"manager": "${managerAccount != null ? managerAccount?.comments : ''}"
04/04/2024 06:12 AM
it is expected behavior right, why bez manager is mandatory field user creation it self .
04/04/2024 05:37 AM
@rushikeshvartak I have tried this as well, it still doesn't work. Getting error-21
04/04/2024 11:49 AM
Please check there are no duplicate accounts in endpoint