Saviynt Forums

IAM_99 · ‎09/29/2022

Hi Team,

1. We are not able to configure 'Disable Account' Option for AD end point- how to configure Disable/Enable Account options ?

2. When we try to remove account through ARS - its throwing below error

Error while Delete operation for account-testuser5 in AD, Error Deleting/Disabling the Account from AD - testuser5: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100229, problem 2006 (BAD_NAME), data 8350, best match of: 'testuser500' ]

Here is my RemoveAccountJSON ( same is there is DisableAccount JSON as well)

{
"moveUsertoOU":"OU=Disable_Users,DC=abc,DC=IN",
"deleteAllGroups":"No",
"userAccountControl":"514",
"description":"${'Account disabled on ' + Calendar.getInstance().getTime().format('MM/dd/yyyy HH:mm:ss', TimeZone.getTimeZone('GMT'))}"
}

any idea what might of have gone wrong ?

rushikeshvartak · ‎09/30/2022

There is a slash / character in the distinguished name. While this is a legal character in a DN, perhaps it should be a comma ,. See also Distinguished Names

Disable / Enable Option needs to be enabled from endpoint -status option add enable & disable values & locked column in account drives this action either enable or disable

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

avinashchhetri · ‎09/30/2022

@IAM_99,

What would help would be to send the full logs when you run the Provisioning Job where it shows what is the final constructed DN which is showing a BAD_NAME exception.

Regards,
Avinash Chhetri

IAM_99 · ‎09/30/2022

please find attached logs. and screenshot for endpoint as there is no option to configure Disable/enable

rushikeshvartak · ‎09/30/2022

2022-09-29 19:11:25,285 [quartzScheduler_Worker-1] ERROR ldap.SaviyntGroovyLdapService - Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-0315317E, #1:
0: 000020B5: DSID-0315317E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
]
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000020B5: AtrErr: DSID-0315317E, #1:
0: 000020B5: DSID-0315317E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
]; remaining name 'CN=Bhavaniprasadkommi,Ou=B04_Users,DC=kaali,DC=in'

Manager Field is sent blank.

2022-09-29 19:11:25,386 [quartzScheduler_Worker-1] ERROR ldap.SaviyntGroovyLdapService - Error Deleting/Disablng the Account from AD -
javax.naming.InvalidNameException: jagadish: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100229, problem 2006 (BAD_NAME), data 8350, best match of:
'jagadish'
]; remaining name 'jagadish'

Sample REMOVEACCOUNTACTION

{"removeAction": "DELETE","moveUsertoOU": "OU=DeletedUsers,DC=YYYYY,DC=YYYY","deleteAllGroups": "Yes","userAccountControl": "514"}

Sample CREATEACCOUNTJSON

{"cn": "${user.username}","displayname": "${user.displayname}","givenname": "${user.firstname}","mail": "${user.email}","name": "${user.displayname}","objectClass": ["top", "person", "organizationalPerson", "user"],"sAMAccountName": "${task.accountName}","sn": "${user.lastname}","title": "${user.title}"}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

IAM_99 · ‎09/30/2022

Thank you , Can you let me know Disable/Enable configuration as well.

rushikeshvartak · ‎09/30/2022

ENABLEACCOUNTJSON

{
 "USEDNFROMACCOUNT": "YES",
  "MOVEDN": "NO",
 "REMOVEGROUPS": "NO",
 "AFTERMOVEACTIONS": {
   "userAccountControl": "512",
    "userPassword": "${randomPassword}"
 }
}

DISABLEACCOUNTJSON

{
 "userAccountControl": "546"
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

avinashchhetri · ‎09/30/2022

Hello @IAM_99,

I would suggest you to refer documentations and try our these functionalities. If these dont work then you can report these as a feedback.

Regards,
Avinash Chhetri

IAM_99 · ‎09/30/2022

Thanks for the responses.

1. We have valid manager now and tried to deprovision -getting Bad_NAME error again

at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)
2022-09-30 18:35:00,005 [quartzScheduler_Worker-4] ERROR ldap.SaviyntGroovyLdapService - Error Deleting/Disablng the Account from AD -
javax.naming.InvalidNameException: Jayakrishna: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100229, problem 2006 (BAD_NAME), data 8350, best match of:
'Jayakrishna'
]; remaining name 'Jayakrishna'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3198)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)

2. Let me rephrase the question - We are not able to see how to configure Enable/Disable options/buttons ( not JSON details) please find below

rushikeshvartak · ‎10/01/2022

ask operation team to add status_config column in endpoints table

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

avinashchhetri · ‎10/03/2022

@IAM_99,

Any operations in LDAP compliant servers are done based on your Disinguished Name. As per the logs it seems that your DN is not configured properly.

For this user that is failing, which account attribute has the user's DN stored in ? What is the value of the AccountID for this user account ?

Regards,
Avinash Chhetri

IAM_99 · ‎09/30/2022

logs attached.

Saviynt Forums

Active Directory Disable Account - Badname error-DSID-03100229, problem 2006 (BAD_NAME), data 8350