Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Active directory assign group - Error in attribute conversion operation

Jillustre
New Contributor III
New Contributor III

Hey folks,

In saviynt we have a technical rule that assign some group in AD when a new user is active in Saviynt. I've confirm with my network admin that those group exist with the exact name. But on provisionning task, it give us the following error

while ADD operation
for account - test to Group - CN = mailinglist - ss - sioti, OU = Groups - MailingLists, OU = test, DC = test, DC = com in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID - 0 C090FEC, comment: Error in attribute conversion operation, data 0, v4563] Error

What could cause this? After couple of searching, I've found nothing about it...

thanks

22 REPLIES 22

sundas7
Regular Contributor II
Regular Contributor II

Hi,

The LDAP error16 usually occurs when the attributes that we pass is not found in AD schema.

Can you please paste the JSON details( masking the customer information )

Thanks

Shyam

 

Jillustre
New Contributor III
New Contributor III

@sundas7  Json detail of what config?

rushikeshvartak
All-Star
All-Star

Share modifyaccount JSON some attribute update is not allowed.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jillustre
New Contributor III
New Contributor III

@rushikeshvartak This is for the Active directory (connection type ActiveDirectory(AD)) So there is no ModifyAccountJson... And in this case, the pending task error is on AddAccess for the entitlement, in this case, the group).

Does service account have required privileges ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jillustre
New Contributor III
New Contributor III

Yes service account have those privileges

Is this issue with all entitlement/Group of one of the group ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jillustre
New Contributor III
New Contributor III

Only with certain groups. When Ive check some of our latest group assignment for some of our latest created usersome got it assigned, some don't. On each user onboarding, 3 group suppose to be assigned. Sometime only 1 or 2 of them work and the other(s) got that error.

Is not the same group for each user, becase group depend of department and organization of the user

Looks like privilege issue. work with ad admin and login with service account and try assigned if no issues there then you can debug in saviynt


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jillustre
New Contributor III
New Contributor III

Working with network admin now. will keep you updated

Jillustre
New Contributor III
New Contributor III

@rushikeshvartakFinally we try a scenario, there is no issue when we log in as the service account and assign the non working group to a user via AD Explorer. So problem is with Saviynt. Do you want me to try add access on the non working group and and send ou the log after the error?

Jillustre
New Contributor III
New Contributor III

@rushikeshvartak@sundas7I receive this in the application log emc-worker

{"log":"javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090FEC, comment: Error in attribute conversion operation, data 0, v4563\u0000]; remaining name 'CN=policy-ss-dgoia,OU=Groups-Policies,OU=BUZ,DC=test,DC=com'\n","stream":"stdout","time":"2022-11-22T17:45:05.156149918Z"}

Error in attribute conversion operation, not sure why...

And like I said previously, the service account had permission to assign group and we test it previously

share create account json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jillustre
New Contributor III
New Contributor III

@rushikeshvartakProblem is with add access, when trying to assign group. Create account work fine, but here it is

{
"accountExpires": "0",
"cn": "${cn}",
"department": "${user.departmentname}",
"displayname": "${user.firstname} ${user.lastname}",
"employeenumber": "${user.employeeid}",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.firstname} ${user.lastname}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"physicaldeliveryofficename": "${user.location}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"streetAddress": "${user.street}",
"title": "${user.title}",
"manager": "${managerAccount.accountID}",
"userPrincipalName":"${user.email.split('@')[0]}@domain.ca",
"userAccountControl":"512",
"userPassword":"${randomPassword}",
"company":"${user.companyname}"
}

Does service account have sufficient privileges to add into group. Is it failing for all groups ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Like I said previously, the Serivce account have access. and is not for all group that sounds weird!

JasBel
New Contributor III
New Contributor III

Hi Jillustre, were you able to find the issue?  We are experiencing the same issue on our side.  Saviynt can give access to mostly all groups except there are some that we are getting the error: LDAP: error code 16 - 00000057: LdapErr: DSID-0C090FEC, comment: Error in attribute conversion operation, data 0, v4563

Let me know if you found a resolution for this?
Thank you in advance,
Jason

You might encounter this error if either any attribute name or value being passed to AD is incorrect or one of the attributes you are passing to add access does not exist in the AD or is empty .

Please compare these attribute/values with existing values in AD to see if there is any discrepancy in how the data is being passed.   Also ,  can you please try to pass SUPPORTEMPTYSTRING = true in the connection and see if this works?

If you still can't find the solution , please raise an FD for the Saviynt Support to assist you. 

KA

jdoma
Regular Contributor
Regular Contributor

Even we are facing the same error and could not get much details from saviynt logs. We have worked with AD team but they also could not get much information on this.

Have you guys identified the issue.

Share json 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

jdoma
Regular Contributor
Regular Contributor

which json represents Add Access, I do not see anything in the AD connection.

Does your connection is SSL. Is it happening with all entitlements


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.