We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD connection - Not Found DN while creating account

Aashish-Handa
Regular Contributor
Regular Contributor

We are getting a provisioning comment, stated below, after successfully completing the create account task in Saviynt and can confirm the account is successfully created on AD side as well.

Checking DN for CN=UAT User3,OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local.Not FOund DN for CN=UAT User3,OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local.

Henceforth, while trying to disable this user, we get the following error:

Error while Delete operation for account-uuser3 in AD - 5803e310-455c-4ee8-a9b8-fdc8a9e2e787: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of: '5803e310-455c-4ee8-a9b8-fdc8a9e2e787' ] 

We checked the permissions for the service account being used to connect to AD via Saviynt and everything looks fine, also we can disable the user manually on AD.

PFB the createaccountjson being used:

{
"givenName": "${user.firstname}",
"sn":"${user.lastname}",
"displayname":"${user.displayname}",
"name":"${user.displayname}",
"objectClass":["top","person","organizationalPerson","user"],
"sAMAccountName":"${task.accountName}",
"mail":"${user.email}",
"userPrincipalName":"${user.email}",
"department":"${user.title}",
"company":"${user.companyname}",
"mobile":"${user.phonenumber}",
"employeeID": "${user.employeeid}",
"co": "${user.location}",
"accountExpires": "0",
"pwdLastSet": "0"
}

Disable Account Json:

{ "userAccountControl": "514" }

There is an account name rule defined as well.PFB.

CN=${user.displayname},OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local###CN=${user.displayname}1,OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local###CN=${user.displayname}2,OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local###CN=${user.displayname}3,OU=Test Users,OU=Users,OU=BCGroup,DC=brunellocucinelli,DC=local

Would request assistance on the issue since we are not able to disable the account on the AD side. Logs from Saviynt attached.

Thanks

6 REPLIES 6

Dhruv_Sharma
Saviynt Employee
Saviynt Employee

Hi @Aashish-Handa 

Please attach the logs hiding sensitive user data.

This issue comes when ACCOUNTS.ACCOUNTID column doesn’t have valid DN populated in it. Please verify on your end and confirm.

Regards,

Dhruv Sharma

Hi @Dhruv_Sharma ,

Where can I check and update the ACCOUNTS.ACCOUNTID on the connection level?

As far as the account name rule is considered, it looks correct.  

Thanks

@Aashish-Handa : You can find ACCOUNTID in accounts page which should match with DN of the respective AD account

sk_0-1701970716006.png

Also can you share the ACCOUNT_ATTRIBUTE mapping?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Aashish-Handa
Regular Contributor
Regular Contributor

Hi @sk ,

Thanks for responding. PFB the ACCOUNT_ATTRIBUTE mapping:

[
ACCOUNTID::objectGUID#Binary,
status::userAccountControl#String,
NAME::sAMAccountName#String,
DISPLAYNAME::displayname#String,
customproperty1::cn#String,
customproperty2::userPrincipalName#String,
customproperty3::sn#String,
customproperty4::homeDirectory#String,
customproperty5::co#String,
customproperty6::employeeNumber#String,
customproperty7::givenName#String,
customproperty8::title#String,
customproperty9::telephoneNumber#String,
customproperty10::c#String,
description::description#String,
customproperty11::uSNCreated#String,
customproperty12::logonCount#String,
customproperty13::physicalDeliveryOfficeName#String,
customproperty14::extensionAttribute1#String,
customproperty15::extensionAttribute2#String,
customproperty16::streetAddress#String,
customproperty17::mailNickname#String,
customproperty18::department#String,
customproperty19::countryCode#String,
customproperty20::employeeID#String,
customproperty21::manager#String,
customproperty22::homePhone#String,
customproperty23::mobile#String,
customproperty24::distinguishedName#String,
customproperty25::company#String,
customproperty26::objectGUID#String,
customproperty27::objectSid#Binary,
customproperty28::primaryGroupID#String,
customproperty29::st#String,
customproperty30::userAccountControl#String,
customproperty31::mail#String,
customproperty32::targetAddress#String,
customproperty33::sAMAccountName#String,
customproperty34::lastLogonTimestamp#String,
customproperty35::name#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
lastlogondate::lastLogon#millisec,
created_on::whenCreated#date,
updatedate::whenChanged#date,
RECONCILATION_FIELD::customproperty26,
comments::distinguishedName#String,
validthrough::accountExpires#millisec,
accountclass::objectClass#String
]

Thanks

@Aashish-Handa : ACCOUNTID should be mapped to DN. since it is mapped to GUID after import it is getting replaced and while changing account it is unable to match account DN hence it is failing


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Aashish-Handa
Regular Contributor
Regular Contributor

I tried changing the accountID to distinguished name and the disable account use case worked. I will try testing the remove access as well.

Thanks