Saviynt Forums

Jillustre · ‎11-08-2022

Hey folks,

In saviynt we have a technical rule that assign some group in AD when a new user is active in Saviynt. I've confirm with my network admin that those group exist with the exact name. But on provisionning task, it give us the following error

while ADD operation
for account - test to Group - CN = mailinglist - ss - sioti, OU = Groups - MailingLists, OU = test, DC = test, DC = com in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID - 0 C090FEC, comment: Error in attribute conversion operation, data 0, v4563] Error

What could cause this? After couple of searching, I've found nothing about it...

thanks

sundas7 · ‎11-08-2022

Hi,

The LDAP error16 usually occurs when the attributes that we pass is not found in AD schema.

Can you please paste the JSON details( masking the customer information )

Thanks

Shyam

Jillustre · ‎11-08-2022

@sundas7 Json detail of what config?

rushikeshvartak · ‎11-08-2022

Share modifyaccount JSON some attribute update is not allowed.

Regards,

Rushikesh Vartak

Jillustre · ‎11-08-2022

@rushikeshvartak This is for the Active directory (connection type ActiveDirectory(AD)) So there is no ModifyAccountJson... And in this case, the pending task error is on AddAccess for the entitlement, in this case, the group).

rushikeshvartak · ‎11-08-2022

Does service account have required privileges ?

Regards,

Rushikesh Vartak

Jillustre · ‎11-08-2022

Yes service account have those privileges

rushikeshvartak · ‎11-08-2022

Is this issue with all entitlement/Group of one of the group ?

Regards,

Rushikesh Vartak

Jillustre · ‎11-08-2022

Only with certain groups. When Ive check some of our latest group assignment for some of our latest created usersome got it assigned, some don't. On each user onboarding, 3 group suppose to be assigned. Sometime only 1 or 2 of them work and the other(s) got that error.

Is not the same group for each user, becase group depend of department and organization of the user

rushikeshvartak · ‎11-08-2022

Looks like privilege issue. work with ad admin and login with service account and try assigned if no issues there then you can debug in saviynt

Regards,

Rushikesh Vartak

Jillustre · ‎11-13-2022

Working with network admin now. will keep you updated

Jillustre · ‎11-17-2022

@rushikeshvartakFinally we try a scenario, there is no issue when we log in as the service account and assign the non working group to a user via AD Explorer. So problem is with Saviynt. Do you want me to try add access on the non working group and and send ou the log after the error?

Jillustre · ‎11-22-2022

@rushikeshvartak @sundas7I receive this in the application log emc-worker

{"log":"javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090FEC, comment: Error in attribute conversion operation, data 0, v4563\u0000]; remaining name 'CN=policy-ss-dgoia,OU=Groups-Policies,OU=BUZ,DC=test,DC=com'\n","stream":"stdout","time":"2022-11-22T17:45:05.156149918Z"}

Error in attribute conversion operation, not sure why...

And like I said previously, the service account had permission to assign group and we test it previously

rushikeshvartak · ‎11-22-2022

share create account json

Regards,

Rushikesh Vartak

Jillustre · ‎11-23-2022

@rushikeshvartakProblem is with add access, when trying to assign group. Create account work fine, but here it is

{
"accountExpires": "0",
"cn": "${cn}",
"department": "${user.departmentname}",
"displayname": "${user.firstname} ${user.lastname}",
"employeenumber": "${user.employeeid}",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.firstname} ${user.lastname}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"physicaldeliveryofficename": "${user.location}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"streetAddress": "${user.street}",
"title": "${user.title}",
"manager": "${managerAccount.accountID}",
"userPrincipalName":"${user.email.split('@')[0]}@domain.ca",
"userAccountControl":"512",
"userPassword":"${randomPassword}",
"company":"${user.companyname}"
}

rushikeshvartak · ‎11-23-2022

Does service account have sufficient privileges to add into group. Is it failing for all groups ?

Regards,

Rushikesh Vartak

Jillustre · ‎11-23-2022

Like I said previously, the Serivce account have access. and is not for all group that sounds weird!

JasBel · ‎12-14-2022

Hi Jillustre, were you able to find the issue? We are experiencing the same issue on our side. Saviynt can give access to mostly all groups except there are some that we are getting the error: LDAP: error code 16 - 00000057: LdapErr: DSID-0C090FEC, comment: Error in attribute conversion operation, data 0, v4563

Let me know if you found a resolution for this?
Thank you in advance,
Jason

KirtiAjrot · ‎12-19-2022

You might encounter this error if either any attribute name or value being passed to AD is incorrect or one of the attributes you are passing to add access does not exist in the AD or is empty .

Please compare these attribute/values with existing values in AD to see if there is any discrepancy in how the data is being passed. Also , can you please try to pass SUPPORTEMPTYSTRING = true in the connection and see if this works?

If you still can't find the solution , please raise an FD for the Saviynt Support to assist you.

KA

jdoma · ‎01-15-2023

Even we are facing the same error and could not get much details from saviynt logs. We have worked with AD team but they also could not get much information on this.

Have you guys identified the issue.

rushikeshvartak · ‎01-16-2023

Share json

Regards,

Rushikesh Vartak

jdoma · ‎01-16-2023

which json represents Add Access, I do not see anything in the AD connection.

rushikeshvartak · ‎01-17-2023

Does your connection is SSL. Is it happening with all entitlements

Regards,

Rushikesh Vartak

Saviynt Forums

Active directory assign group - Error in attribute conversion operation