and more in a single search tool across platforms. Read the announcement here. |
02/21/2024 12:11 PM - last edited on 02/21/2024 02:02 PM by Dave
Hi all,
Context: Trying to enable an AD account by using the DN from the account properties.
Prior to WSRetry, account was in the [Disabled Accounts OU] container. Visually validated, repeatedly...
Error encountered: SAV-Error while enabling account,[LDAP: error code 32 - 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com' ]
After WSRetry, account was indeed moved to the [Active Accounts OU] so running the task back to back ends up with the desired results but I'd rather find what is wrong in my setup
ENABLEACCOUNTJSON:
{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"RESETPASSWORD": "YES",
"ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
"AFTERMOVEACTIONS": {
"userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
}
}
I also tried with "USEDNFROMACCOUNT": "NO" with this syntax:
{
"USEDNFROMACCOUNT": "NO",
"DISABLEACCOUNTCHECKRULE": [
"CN=${user.systemUserName},OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
"CN=${user.systemUserName},OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com"
],
"ATTRIBUTESTOCHECK": {
"sAMAccountName": "${user.systemUserName}",
"givenName": "${user.firstname}",
"sn": "${user.lastname}"
},
"MOVEDN": "YES",
"ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
"AFTERMOVEACTIONS": {
"userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
},
"REMOVEGROUPS": "NO",
"RESETPASSWORD": "YES"
}
This yielded a rather unfriendly error: "Checking DN for CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object Checking DN for CN=trsusertest,OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. SAV-Error while enabling account,No account found using disable rules"
Which is really weird as the account DN is: CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com according to latest account import.
Further examination of the application logs indicates the account was indeed found but some caseIgnoreString comparison failed on something I can't identify:
"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.659219786Z stdout F 2024-02-21 20:35:58,659 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - ldap object is [mail:[usersemailaddress@somedomain.com], employeenumber:0037, usncreated:2304588, , dn:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, [bunch of other attributes including sAMAccountName, sn and givenname], distinguishedname:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, badpasswordtime:0, logoncount:0, usnchanged:2316188]"
"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.66723113Z stdout F 2024-02-21 20:35:58,667 [quartzScheduler_Worker-4] ERROR ldap.SaviyntGroovyLdapService - Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object"
Is there an attribute missing somewhere?
Thanks!!
Thanks in advance!
02/21/2024 07:47 PM
@flegare try to add below attributes and let me know
{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"ENABLEACCOUNTOU":"OU=CloudUsers,DC=abccompany,DC=com",
"healthscopeUID": "${user.username}",
"AFTERMOVEACTIONS" : {
"userAccountControl": "512"}
}
02/21/2024 07:53 PM
Change below
"USEDNFROMACCOUNT": "NO",
03/12/2024 08:16 PM
Hi @flegare, how did you resolve the issue?
We are seeing this issue when we are using resetpassword in json and we have to use the same to create the password.
03/13/2024 01:41 AM
Hi @NM ,
Here is what we went with:
{
"DISABLEACCOUNTCHECKRULE": [
"CN=${user.systemUserName},OU=[DisabledOU],DC=abc,DC=com",
"CN=${user.systemUserName},OU=[EnabledOU],DC=abc,DC=com"
],
"ENABLEACCOUNTOU": "OU=[EnabledOU],DC=abc,DC=com",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"USEDNFROMACCOUNT": "NO",
"AFTERMOVEACTIONS": {
"userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
}
}