Saviynt Forums

Pranav · ‎09/26/2024

The New account and add access tasks for AD application getting created with username instead of user first and last name and the configuration is working for update account and remove or disable account tasks the account name is getting populated with user first name and last name in pending tasks account column. Issue is only with new and add access tasks for AD and whenever they are getting provisioned encountering an error - Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1: 0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)

We are seeing the same error for the New Account, Add Access, and Update Account tasks when they got provisioned.

NM · ‎09/26/2024

Hi @Pranav what is your account name rule ?

Pranav · ‎09/26/2024

Hi @NM Please find attached account name rule.

${if (user.employeeType.equals('Employee')) { 'CN='+user.displayname+',OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com' } else if(user.employeeType.equals('Contractor')) { 'CN='+user.displayname+' (Contractor),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+') (Contractor),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+') (Contractor),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1 (Contractor),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2 (Contractor),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com' } else if(user.employeeType.equals('Consultant')) { 'CN='+user.displayname+' ('+user.companyname+'),OU=External Accounts,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')'+' ('+user.companyname+'),OU=External Accounts,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+')'+' ('+user.companyname+'),OU=External Accounts,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1'+' ('+user.companyname+'),OU=External Accounts,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2'+' ('+user.companyname+'),OU=External Accounts,DC=ABCD,DC=com' } else if(user.employeeType.equals('CanadianEmployee')) { 'CN='+user.displayname+',OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com' } else if(user.employeeType.equals('TempEmployee')) { 'CN='+user.displayname+' (Temp),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+') (Temp),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+') (Temp),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1 (Temp),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2 (Temp),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com' } else { 'CN='+user.displayname+',OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.city+'),OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')1,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'+'###'+'CN='+user.displayname+' ('+user.state+')2,OU=Users,OU='+user.customproperty16+',OU=Sites,DC=ABCD,DC=com'}}

rushikeshvartak · ‎09/26/2024

can you share logs when tasks are creating and wsretry execution in 2 different file

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pranav · ‎09/26/2024

[This message has been edited by moderator to mask sensitive information]

rushikeshvartak · ‎09/26/2024

Which task/user needs to be checked ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pranav · ‎09/26/2024

The task requires verification. Currently, while the task is being created, the account column is displaying the username instead of the user's first and last name. As a result, when the account is provisioned, it will be named after the username rather than the user's actual first and last name. Additionally, we are currently facing the LDAP error mentioned above.

NM · ‎09/26/2024

@Pranav looks fine ..can you also share create account json?

Pranav · ‎09/26/2024

@NM

{
"department": "${if(user.costcenter!=null){user.costcenter + ' - ' + user.departmentname}else{user.departmentname}}",
"displayname": "${displayname}",
"manager": "${if(user.manager!=null){managerAccount?.accountID} else {''}}",
"initials": "${if(user.middlename!=null){user.middlename.substring(0,Math.min(user.middlename.length(),5))}else{''}}",
"userPrincipalName": "${userPrincipalName}",
"employeeID": "${user.username}",
"employeetype": "${user.customproperty8}",
"givenName": "${user.firstname.substring(0, 1).toUpperCase() + user.firstname.substring(1)}",
"mail": "${mail}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"physicaldeliveryofficename": "${user.location}",
"extensionAttribute6": "${user.statuskey}",
"name": "${user.displayname}",
"sAMAccountName": "${sAMAccountName}",
"company": "${(user.entity!=null) ? user.entity +' - '+user.companyname : user.companyname}",
"st": "${user.customproperty16}",
"streetAddress": "${user.street}",
"description": "${(user.employeeType == 'TempEmployee' && user.title!=null) ? user.title + ' (Temp)' : (user.employeeType == 'TempEmployee' && user.title == null) ? '(Temp)' : user.title}",
"title": "${user.title}",
"l": "${user.city}",
"postalCode": "${user.customproperty10}",
"homeDirectory": "${user.customproperty60}",
"telephoneNumber": "${user.phonenumber}",
"mobile": "${user.secondaryPhone}",
"adminDescription": "Updated by Saviynt",
"adminDisplayName": "${user.username}",
"pwdLastSet": "0",
"businessCategory": "${user.customproperty12}",
"division": "${user.region}",
"sn": "${user.lastname.substring(0, 1).toUpperCase() + user.lastname.substring(1)}",
"accountExpires":"${ if (user.enddate != null && user.enddate != ''){10000*(user?.enddate.getTime() + 11644473600000 + 100799999 + 3636000)} else {9223372036854775807}}"
}

NM · ‎09/26/2024

@Pranav are you currently storing DN in account id?

Pranav · ‎09/27/2024

Yes @NM Mappings in Account attribute is CUSTOMPROPERTY21::manager#String, customproperty26::distinguishedName#String,ACCOUNTID::objectGUID#Binary,CUSTOMPROPERTY38::objectGUID#Binary,RECONCILATION_FIELD::ACCOUNTID]

rushikeshvartak · ‎09/27/2024

Share account_attribute mapping

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pranav · ‎09/27/2024

[customproperty60::homeDirectory#String,customproperty7::userAccountControl#String,CUSTOMPROPERTY28::mail#String,CUSTOMPROPERTY12::division#String,CUSTOMPROPERTY34::name#String,CUSTOMPROPERTY29::postalCode#String,CUSTOMPROPERTY30::st#String,CUSTOMPROPERTY31::businessCategory#String,CUSTOMPROPERTY32::employeetype#String,CUSTOMPROPERTY24::employeeID#String,LASTLOGONDATE::lastLogon#millisec,DISPLAYNAME::displayName#String,CUSTOMPROPERTY25::company#String,CUSTOMPROPERTY3::sn#String,CUSTOMPROPERTY27::initials#String,LASTPASSWORDCHANGE::pwdLastSet#millisec,CUSTOMPROPERTY6::givenName#String,CUSTOMPROPERTY14::extensionAttribute6#String,CUSTOMPROPERTY8::title#String,CUSTOMPROPERTY9::telephoneNumber#String,CUSTOMPROPERTY10::c#String,CUSTOMPROPERTY11::uSNCreated#String,VALIDTHROUGH::accountExpires#millisec,CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,UPDATEDATE::whenChanged#date,CUSTOMPROPERTY16::streetAddress#String,CUSTOMPROPERTY18::department#String,NAME::sAMAccountName#String,CUSTOMPROPERTY20::userPrincipalName#String,CUSTOMPROPERTY21::manager#String,CUSTOMPROPERTY22::homePhone#String,CUSTOMPROPERTY23::mobile#String,CREATED_ON::whenCreated#date,ACCOUNTCLASS::objectClass#String,CUSTOMPROPERTY33::description#String,customproperty26::distinguishedName#String,ACCOUNTID::objectGUID#Binary,CUSTOMPROPERTY38::objectGUID#Binary,RECONCILATION_FIELD::ACCOUNTID]

rushikeshvartak · ‎09/27/2024

Does sAMAccountName gets updated?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pranav · ‎09/27/2024

No, the tasks are being created, but in the account column, we used to see the user's firstname.last name(Xyz.Abc) earlier. Now, for all tasks generated for AD, I’m seeing the username(0234761) instead of the user's firstname.lastname in the account column of pending tasks. When task is getting provisioned it is throwing LDAP error mentioned above.

NM · ‎09/27/2024

Hi @Pranav try this

manager": "${if(user.manager!=null){managerAccount?.customproperty26} else {''}}",

Pranav · ‎09/27/2024

@NM tried the manager": "${if(user.manager!=null){managerAccount?.customproperty26} else {''}}", tested this in lower environment with create account, accountattribute, checkforunique and accountnamerule as per prod configuration although the tasks are getting created with username in account column and while trying to provision encountering an error [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0 ] (In lower environment)

NM · ‎09/27/2024

@Pranav , what is your account name rule?

Seems an error for update account.

Pranav · ‎09/27/2024

Issue resolved in lower environment after matching the connection with AD PWD policies. Now user's are able to provision.

Dave · ‎09/27/2024

If the issue is resolved, please click the "Accept As Solution" button on the reply that provides the solution to your original problem. This will help future users who may be experiencing a similar difficulty Thank you!

Saviynt Forums

AD Account name generation issue in pending tasks