Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory - Enable Account - Account Not Found

flegare
Regular Contributor III
Regular Contributor III

‎02/21/2024 12:11 PM - last edited on ‎02/21/2024 02:02 PM by Community Manager

Hi all,

Context: Trying to enable an AD account by using the DN from the account properties.

Prior to WSRetry, account was in the [Disabled Accounts OU] container.  Visually validated, repeatedly...

Error encountered: SAV-Error while enabling account,[LDAP: error code 32 - 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com' ]

After WSRetry, account was indeed moved to the [Active Accounts OU] so running the task back to back ends up with the desired results but I'd rather find what is wrong in my setup

ENABLEACCOUNTJSON:

 

 

{
    "USEDNFROMACCOUNT": "YES",
    "MOVEDN": "YES",
    "REMOVEGROUPS": "NO",
    "RESETPASSWORD": "YES",
    "ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    }
}

 

 

I also tried with "USEDNFROMACCOUNT": "NO" with this syntax:

 

 

{
    "USEDNFROMACCOUNT": "NO",
    "DISABLEACCOUNTCHECKRULE": [
        "CN=${user.systemUserName},OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
        "CN=${user.systemUserName},OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com"
    ],
    "ATTRIBUTESTOCHECK": {
        "sAMAccountName": "${user.systemUserName}",
        "givenName": "${user.firstname}",
        "sn": "${user.lastname}"
    },
    "MOVEDN": "YES",
    "ENABLEACCOUNTOU": "OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    },
    "REMOVEGROUPS": "NO",
    "RESETPASSWORD": "YES"
}

 

 

This yielded a rather unfriendly error: "Checking DN for CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object Checking DN for CN=trsusertest,OU=[Active Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com. SAV-Error while enabling account,No account found using disable rules"

Which is really weird as the account DN is: CN=trsusertest,OU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com according to latest account import.

Further examination of the application logs indicates the account was indeed found but some caseIgnoreString comparison failed on something I can't identify:

 

 

"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.659219786Z stdout F 2024-02-21 20:35:58,659 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - ldap object is [mail:[usersemailaddress@somedomain.com], employeenumber:0037, usncreated:2304588, , dn:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, [bunch of other attributes including sAMAccountName, sn and givenname], distinguishedname:CN=trsusertestOU=[Disabled Accounts OU],OU=Utilisateurs,DC=[SomeDomain],DC=com, badpasswordtime:0, logoncount:0, usnchanged:2316188]"
"2024-02-21T20:35:59.193+00:00","ecm-worker","","","","2024-02-21T20:35:58.66723113Z stdout F 2024-02-21 20:35:58,667 [quartzScheduler_Worker-4] ERROR ldap.SaviyntGroovyLdapService  - Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object"

 

 

 Is there an attribute missing somewhere?

Thanks!!

Thanks in advance!

Labels:
0 Kudos
4 REPLIES 4

Raghu
Regular Contributor III
Regular Contributor III

‎02/21/2024 07:47 PM

@flegare  try to add below attributes and let me know

{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"ENABLEACCOUNTOU":"OU=CloudUsers,DC=abccompany,DC=com",
"healthscopeUID": "${user.username}",
"AFTERMOVEACTIONS" : {
"userAccountControl": "512"}
}


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

rushikeshvartak
All-Star
All-Star

‎02/21/2024 07:53 PM

Change below 

  "USEDNFROMACCOUNT": "NO",

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

NM
Regular Contributor III
Regular Contributor III

‎03/12/2024 08:16 PM

Hi @flegare, how did you resolve the issue?

We are seeing this issue when we are using resetpassword in json and we have to use the same to create the password.

0 Kudos

flegare
Regular Contributor III
Regular Contributor III

‎03/13/2024 01:41 AM

Hi @NM ,

Here is what we went with:

{
    "DISABLEACCOUNTCHECKRULE": [
        "CN=${user.systemUserName},OU=[DisabledOU],DC=abc,DC=com",
        "CN=${user.systemUserName},OU=[EnabledOU],DC=abc,DC=com"
    ],
    "ENABLEACCOUNTOU": "OU=[EnabledOU],DC=abc,DC=com",
    "MOVEDN": "YES",
    "REMOVEGROUPS": "NO",
    "USEDNFROMACCOUNT": "NO",
    "AFTERMOVEACTIONS": {
        "userAccountControl": "${int accountControlValue=Integer.parseInt(task.accountKey.customproperty3)-2;accountControlValue.toString()}"
    }
}

 

0 Kudos
Copyright © 2024 Khoros, LLC