Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Active Directory - Enable Account - Account Not Found

flegare
Regular Contributor III
Regular Contributor III

Hi all,

Context: Trying to enable an AD account by using the DN from the account properties.

Prior to WSRetry, account was in the [Disabled Accounts OU] container.  Visually validated, repeatedly...

Error encountered: SAV-Error while enabling account,[LDAP: error code 32 - 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com' ]

After WSRetry, account was indeed moved to the [Active Accounts OU] so running the task back to back ends up with the desired results but I'd rather find what is wrong in my setup

ENABLEACCOUNTJSON:

 

 

{
    "USEDNFROMACCOUNT": "YES",
    "MOVEDN": "YES",
    "REMOVEGROUPS": "NO",
    "RESETPASSWORD": "YES",
    "ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    }
}

 

 

I also tried with "USEDNFROMACCOUNT": "NO" with this syntax:

 

 

{
    "USEDNFROMACCOUNT": "NO",
    "DISABLEACCOUNTCHECKRULE": [
        "CN=${user.systemUserName},OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
        "CN=${user.systemUserName},OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com"
    ],
    "ATTRIBUTESTOCHECK": {
        "sAMAccountName": "${user.systemUserName}",
        "givenName": "${user.firstname}",
        "sn": "${user.lastname}"
    },
    "MOVEDN": "YES",
    "ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    },
    "REMOVEGROUPS": "NO",
    "RESETPASSWORD": "YES"
}

 

 

This yielded a rather unfriendly error: "Checking DN for CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object Checking DN for CN=trsusertest,OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. SAV-Error while enabling account,No account found using disable rules"

Which is really weird as the account DN is: CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com according to latest account import.

Further examination of the application logs indicates the account was indeed found but some caseIgnoreString comparison failed on something I can't identify:

 

 

"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.659219786Z stdout F 2024-02-21 20:35:58,659 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - ldap object is [mail:[usersemailaddress@somedomain.com], employeenumber:0037, usncreated:2304588, , dn:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, [bunch of other attributes including sAMAccountName, sn and givenname], distinguishedname:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, badpasswordtime:0, logoncount:0, usnchanged:2316188]"
"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.66723113Z stdout F 2024-02-21 20:35:58,667 [quartzScheduler_Worker-4] ERROR ldap.SaviyntGroovyLdapService  - Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object"

 

 

 Is there an attribute missing somewhere?

Thanks!!

Thanks in advance!

4 REPLIES 4

Raghu
Valued Contributor III
Valued Contributor III

@flegare  try to add below attributes and let me know

{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"ENABLEACCOUNTOU":"OU=CloudUsers,DC=abccompany,DC=com",
"healthscopeUID": "${user.username}",
"AFTERMOVEACTIONS" : {
"userAccountControl": "512"}
}


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rushikeshvartak
All-Star
All-Star

Change below 

  "USEDNFROMACCOUNT": "NO",

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Regular Contributor III
Regular Contributor III

Hi @flegare, how did you resolve the issue?

We are seeing this issue when we are using resetpassword in json and we have to use the same to create the password.

flegare
Regular Contributor III
Regular Contributor III

Hi @NM ,

Here is what we went with:

{
    "DISABLEACCOUNTCHECKRULE": [
        "CN=${user.systemUserName},OU=[DisabledOU],DC=abc,DC=com",
        "CN=${user.systemUserName},OU=[EnabledOU],DC=abc,DC=com"
    ],
    "ENABLEACCOUNTOU": "OU=[EnabledOU],DC=abc,DC=com",
    "MOVEDN": "YES",
    "REMOVEGROUPS": "NO",
    "USEDNFROMACCOUNT": "NO",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    }
}