Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD Provisioning Error LDAP: error code 16 - 00000057: LdapErr: DSID-0C091372

mbh_it
Regular Contributor II
Regular Contributor II

Hello Team,

 

I am facing an issue as below while provisioning , logs and CreateAccountJSON is attached, can you please guide me to resolve this?

"2023-10-20T17:54:36.384+00:00","ecm-worker","","","","2023-10-20T17:54:35.639068066Z stdout F 2023-10-20 17:54:35,639 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - Creating Account dn-CN=Bairstow Lily,OU=Saviynt,OU=Users,OU=Utility User OU,DC=ABC,DC=NY,DC=com Datamap--[mail:bairstow.lily3@ab.com,accountExpires:0,UnicodePwd:****,description:Engineer,distinguishedName:Bairstow Lily,OU=Saviynt,OU=Users,OU=Utility User OU,DC=ABC,DC=NY,DC=com,employeeID:101,title:Saviynt Org,Senior Engineer,password:****,surname:Lily,sn:Lily,department:101-COSTNew,userAccountControl:512,userPrincipalName:bairstow.lily3@ab.com,info:new Joining,employeetype:Employee,physicalDeliveryOfficeName:Atlanta,sAMAccountName:bairstow.lily3@ab.com,givenName:Jone,objectClass:[user],cn:bairstow.lily3@ab.com,co:USA,moveUsertoOU:OU=Saviynt,OU=Users,OU=Utility User OU,DC=ABC,DC=NY,DC=com,displayname:Bairstow Lily,name:Bairstow Lily,baseDn:OU=Saviynt,OU=Users,OU=Utility User OU,DC=ABC,DC=NY,DC=com,]"
"2023-10-20T17:54:36.384+00:00","ecm-worker","","","","2023-10-20T17:54:35.993828468Z stdout F 2023-10-20 17:54:35,993 [quartzScheduler_Worker-2] ERROR ldap.SaviyntGroovyLdapService - Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C091372, comment: Error in attribute conversion operation, data 0, v4563 ]"
"2023-10-20T17:54:36.384+00:00","ecm-worker","","","","2023-10-20T17:54:35.993842568Z stdout F javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C091372, comment: Error in attribute conversion operation, data 0, v4563 ]; remaining name 'CN=Bairstow Lily,OU=Saviynt,OU=Users,OU=Utility User OU,DC=ABC,DC=NY,DC=com'"

Thanks

Mahesh

14 REPLIES 14

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @mbh_it,

Is other operation working fine like, 
You error code say thats, some of the attribute which you are trying to assign is not supported by the AD.
Would request you to try to use the below json, check if it works

{
    "givenName": "${user.preferedFirstName}",
    "sn": "${user.lastname}",
    "displayname": "${user.displayname}",
    "cn": "${task.accountName}",
    "sAMAccountName": "${task.accountName}",
    "employeetype": "${user.employeeType}",
    "description": "${user.jobDescription}",
    "userPrincipalName": "${user.email}",
    "password": "Randompassword1",
    "employeeID": "${user.employeeid}",
    "co": "${user.country}",
    "department": "${user.departmentname}",
    "accountExpires": "${user.enddate != null ? 10000*(user.enddate.getTime() + 11644473600000) : '0'}",
   "company": "${user.enddate != null ? 'A B' : ''}",
    "mail": "${user.email}",
    "manager": "${managerAccount?.accountID}",
    "name": "${user.displayname}",
    "physicalDeliveryOfficeName": "${user.location}",
    "surname": "${user.lastname}",
    "title": "${user.title}",
    "info": "${user.comments}",
    "objectClass": [
        "user"
    ],
    "userAccountControl": 512,
    "baseDn": "OU=Saviynt,OU=Users,OU=Utility User OU,DC=AB,DC=NY,DC=com",
   "distinguishedName": "${user.displayname+',OU=Saviynt,OU=Users,OU=Utility User OU,DC=AB,DC=NY,DC=com'}",
    "moveUsertoOU": "OU=Saviynt,OU=Users,OU=Utility User OU,DC=AB,DC=NY,DC=com"
}
If you find the above response useful, Kindly Mark it as "Accept As Solution".

rushikeshvartak
All-Star
All-Star
16LDAP_NO_SUCH_ATTRIBUTEIndicates that the attribute specified in the modify or compare operation does not exist in the entry.

 

 

In your json remove baseDn / moveUsertoOU & distinguishedName and try


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

SumathiSomala
All-Star
All-Star

@mbh_it 

Remove baseDn,distinguishedName,moveUsertoOU mappings in JSON.

To generate distinguishedName(DN) update the ACCOUNTNAMERULE in connection.
Sample:
CN=${user.displayname},OU=Saviynt,OU=Users,OU=Utility User OU,DC=AB,DC=NY,DC=com

and map password with UnicodePwd
and make sure to set the SETRANDOMPASSWORD to FALSE in connection parameters.
To map manager attribute in createaccountJSON use below sample

"manager": "${managerAccount!=null ? managerAccount.accountID: ''}",
"manager": "${managerAccount!=null ? managerAccount.comments: ''}",
"manager": "${managerAccount!=null ? managerAccount.custompropertyxx: ''}",

accountID/comments/custompropertyxx field should contain user's distinguishedName in Saviynt.

Try with below sample:

{

    "givenName": "${user.preferedFirstName}",

    "sn": "${user.lastname}",

    "displayname": "${user.displayname}",

    "cn": "${task.accountName}",

    "sAMAccountName": "${task.accountName}",

    "employeetype": "${user.employeeType}",

    "description": "${user.jobDescription}",

    "userPrincipalName": "${user.email}",

    "UnicodePwd": "Randompassword1",

    "employeeID": "${user.employeeid}",

    "co": "${user.country}",

    "department": "${user.departmentname}",

    "accountExpires": "${user.enddate != null ? 10000*(user.enddate.getTime() + 11644473600000) : '0'}",

   "company": "${user.enddate != null ? 'A B' : ''}",

    "mail": "${user.email}",

  "manager": "${managerAccount!=null ? managerAccount.accountID: ''}",

    "name": "${user.displayname}",

    "physicalDeliveryOfficeName": "${user.location}",

    "surname": "${user.lastname}",

    "title": "${user.title}",

    "info": "${user.comments}",

    "objectClass": [

      "top",

      "person",

      "organizationalPerson",

      "user"    ],

    "userAccountControl": 512

}

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

@mbh_it try with below mapping in JSON and check 

"accountExpires": "0"

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

@mbh_it could you please try with my sample json by removing accountExpires and company mapping. 

Also wanted to check managerAccount.accountID contains manager DN right? 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

mbh_it
Regular Contributor II
Regular Contributor II

Hello Rushikesh and Somathi,

First of all, thanks for the details shared, I tried the same and still I am getting same error, please find attached logs and JSON.

Kindly let me know there is anything I missed here.

Thank You,

Mahesh

mbh_it
Regular Contributor II
Regular Contributor II

Hello Somathi,

Tried "accountExpires": "0" , still getting same error.  I am trying to test by eliminating say description etc and see if works. Let me know if any attribute you are suspecting other than this.

Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C091372, comment: Error in attribute conversion operation, data 0, v4563]

 

Thanks

Mahesh

mbh_it
Regular Contributor II
Regular Contributor II

Hello Sumathi,

I removed expiry and company both from JSON and still getting same error.

 

Thanks

Mahesh

@mbh_it use "sn": "${user.lastname}" Instead of surname in latestjson. 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

mbh_it
Regular Contributor II
Regular Contributor II

Hello Somathi,

I think we are in next step, removing SN helped, following is the error now.

Error while creating account in AD - [LDAP: error code 50 - 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]

 

top, person, organizationalPerson, user],UnicodePwd:****,cn:jonah.lee@AB.com,co:USA,title:Saviynt Org,Senior Engineer,displayname:Jonah Lee,name:Jonah Lee,sn:lee,userAccountControl:512,userPrincipalName:jonah.lee@AB.com,info:New joining,]"
"2023-10-23T17:20:38.911+00:00","ecm-worker","","","","2023-10-23T17:20:38.331865521Z stdout F 2023-10-23 17:20:38,331 [quartzScheduler_Worker-4] ERROR ldap.SaviyntGroovyLdapService - Error while creating account in AD - [LDAP: error code 50 - 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"
"2023-10-23T17:20:38.911+00:00","ecm-worker","","","","2023-10-23T17:20:38.331886321Z stdout F ]"
"2023-10-23T17:20:38.911

Thanks

Mahesh

2023-10-23T17:20:37.96521545Z stdout F 2023-10-23 17:20:37,965 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - Creating Account dn-CN=Jonah Lee,OU=Saviynt,OU=Users,OU=Utility User OU,DC=AB,DC=NY,DC=com Datamap--[employeetype:Employee,physicalDeliveryOfficeName:Atlanta,mail:jonah.lee@AB.com,sAMAccountName:jonah.lee@AB.com,givenName:Jonah,objectClass:[top, person, organizationalPerson, user],UnicodePwd:****,cn:jonah.lee@AB.com,co:USA,title:Saviynt Org,Senior Engineer,displayname:Jonah Lee,name:Jonah Lee,sn:lee,userAccountControl:512,userPrincipalName:jonah.lee@AB.com,info:New joining,]

LDAP result code insufficientAccess(50) means that the currently bound identity for the LDAP connection is not allowed to apply this particular modify operation. You did not provide any relevant details

Validate if DN is correct, It seems service account dont have permission to create user.


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

@mbh_it seems service account used in connection has insufficient privileges to perform create operation. 

Please check. 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

mbh_it
Regular Contributor II
Regular Contributor II

Hello Rushikesh/Sumathi,

Thanks for your response.

That is correct, even I am thinking to check with customer to make sure they have correct rights for the account used in connection for CRUD operations as this is needed for AD operations.

Thanks

Mahesh

mbh_it
Regular Contributor II
Regular Contributor II

Thanks Rushikesh/ Sumatha,

This has been resolved after fixing permissions by customer for Service Account AD.

Also, for base DN, removed CN parameter from Create AccountJSON.

Thanks

Mahesh