Saviynt Forums

SSinha_ · ‎08/06/2024

Hi team,

I want to write a single createaccountjson for both service account and normal accounts in the LDAP connector for AS400. Below are both the jsons seperately however I want to segregate using conditional logic in the json.

Create account json for normal accounts, all these attributes are required(in service accounts the attributes which are absent should be null):

{ "cn": "${user.systemUserName}",

"givenName": "${user.firstname}",

"sn": "${user.lastname}",

"MxisID": "${user.username}",

"objectclass": ["top", "person", "organizationalPerson", "user", "inetOrgPerson"],

"mail": "${ if(user.email.equals(null)){manager.email} else {user.email}}",

"displayName": "${user.displayname}",

"uid": "${user.username}",

"uniqueID": "${user.username}",

"workforceID": "${user.employeeid}",

"mobile": "${user.phonenumber}",

"ou": "${user.customproperty16}",

"department": "${user.customproperty16}",

"manager": "${managerAccount?.accountID}",

"title": "${(!user.jobcodedesc)?user.jobcodedesc: (user.jobcodedesc.length() >63?user.jobcodedesc.substring(0,63):user.jobcodedesc)}",

"l": "${user.locationdesc}",

"msDS-UserAccountDisabled":"FALSE"

}

Create account json for service account all these attributes are needed:

{
"uid": "${ServiceAccountOwnerMap.get("ServiceAccountType") == 'service account' ? task?.accountName : user?.username}",
"pwdexp":"*YES",
"pwdexpitv":"*SYSVAL",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

as you can see that in uid i have tried to segregate if the service account type is present but will the same logic work for every attribute?

rushikeshvartak · ‎08/06/2024

Yes you can use same logic. You can also use dynamic attributes ACCOUNTTYPE which is default in every service account requests

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/06/2024

You mean to say utilizing accounttype atttribute to create something likethis :

${if(requestAccessAttributes.get('ACCOUNTTYPE') == 'service account'){'task.accountName'} else {'user.username'}}

And also if I want to pass null values since it is not needed in normal account I can write a a logic as mentioned below :

${ServiceAccountOwnerMap.get("ServiceAccountType") == 'service account' ? task?.accountName : ''}

rushikeshvartak · ‎08/06/2024

Yes

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM · ‎08/06/2024

Hi @SSinha_ , yes the above logic should work.

Are you using ootb as400 jar connector

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

SSinha_ · ‎08/06/2024

I am using the LDAP connector which works on IDMWORKS Ldap gateaway. Also how can i use the above logic in a list for the attribute-->

For Normal account

objectclass": ["top", "person", "organizationalPerson", "user", "inetOrgPerson"]

For Service account

"objectClass": [
"domain",
"top"
]

@rushikeshvartak

rushikeshvartak · ‎08/06/2024

Sample below

"objectClass": ${user.employeeclass=='Employee'?'[\"top\",\"person\",\"organizationalPerson\",\"ntUser\",\"inetOrgPerson\",\"hpPerson\",\"hpEmployee\"]':'[\"top\",\"person\",\"organizationalPerson\",\"ntUser\",\"inetOrgPerson\",\"hpPerson\",\"hpContingentWorker\"]'},

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/07/2024

Thank you for the response , I am trying the same logic in ACCOUNTNAMERULE attribute but it is not working when combined and in docs I do not see any examples :

${if(ServiceAccountOwnerMap.ServiceAccountType.equals('service account'){uid=${task?.accountName},ou=testdc=dev01,dc=com} else
{uid=${user?.customproperty1.toString().toLowerCase()},ou=test,dc=dev01,dc=com'}

Individually they are working but when combined it does not work

rushikeshvartak · ‎08/07/2024

Any error in logs ? As its working for us

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/09/2024

I tried a different way and it started working fine. However now I face an LDAP error using the below json in create account json. Without the conditional logic these * values are getting passed fine

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? ${DA} : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? ['*AL', '*AUT', '*IOCFG', '*SEDM'] : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

LDAP: error code 64 - CPD0016:Prompt request in wrong position.:Cause . . . . . : A prompt request character (?) was specified in the wrong position within the command. To prompt for an entire command, specify a single ? at the beginning of the command. Blanks following the prompt character are ignored. To prompt for a selected keyword, specify selective prompt characters before the keyword name. Selective prompt characters which cause a parameter to be selected for prompting are ??, ?*, ?<, ?/, ?&, and ?%. The characters ?- are used to cause a parameter to be omitted. Blanks are not allowed following selective prompt characters. Recovery . . . : Correct the prompt specification and then try the command again.]

rushikeshvartak · ‎08/09/2024

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL,*AUT,*IOCFG,*SEDM' : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/09/2024

Getting the below error
LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.]

Also wanted to know that while passing dynamic attribute DA we just have to pass it as a normal string? rather than ${DA}?

rushikeshvartak · ‎08/09/2024

First pass static value I will suggest to work condition and then we you can go with dynamic

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/09/2024

This json is already working with hardcoded value so I tried to apply the same logic for all attributes

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "*SEDM",
"spcaut": ["*AL", "*AUT", "*IOCFG", "*SEDM"],
"grpprf": "WDM",
"Owner": "*GRF",
"grpauttyp": "*PRATE",
"curlib": "*CRTT",
"inlmnu": "*SIOFF",
"lmtcpb": "*YES",
"jobd": "QBD",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

rushikeshvartak · ‎08/09/2024

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\,*AUT\\,*IOCFG\\,*SEDM' : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/12/2024

I am getting the below error, although this json might be correct because I am getting the same error for the json which was previously working , I will update if this works.

Checking DN for uid=JSSNTEST,ou=test,dc=tes,dc=com.Error while searching for DN-LDAP response read timed out, timeout used: 50000 ms. SAV-Error while creating account,Could not find a unique DN to provision

rushikeshvartak · ‎08/12/2024

Do hardcoded values work?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/12/2024

This json was working fine on friday but today it is giving the same error as I mentioned

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "*SEDM",
"spcaut": ["*AL", "*AUT", "*IOCFG", "*SEDM"],
"grpprf": "WDM",
"Owner": "*GRF",
"grpauttyp": "*PRATE",
"curlib": "*CRTT",
"inlmnu": "*SIOFF",
"lmtcpb": "*YES",
"jobd": "QBD",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

rushikeshvartak · ‎08/12/2024

Did you compared logs ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/12/2024

Getting this for now, not sure why suddenly it started giving naming exception error

"ldap.SaviyntGroovyLdapService","quartzScheduler_Worker-6-jlm7d","ERROR","Error while searching for DN-LDAP response read timed out, timeout used: 50000 ms."
"2024-08-12T11:24:03.226+00:00","ecm-worker","","null-jlm7d","","javax.naming.NamingException: LDAP response read timed out, timeout used: 50000 ms.; remaining name 'uid=JSSNTEST,ou=test,dc=test,dc=com' at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129) at com.sun.jndi.ldap.Connection.readReply(Connection.java:469) at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2013) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9694) at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2_closure136.doCall(SaviyntGroovyLdapService.groovy:535) at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2.doCall(SaviyntGroovyLdapService.groovy:527) at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:248) at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:11782) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure50.doCall(ArsTaskHelperService.groovy:3079) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:3070) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:175) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39mjavax.naming.NamingException: LDAP response read timed out, timeout used: 50000 ms.; remaining name 'uid=JSSNTEST,ou=test,dc=test,dc=com'[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.Connection.readReply(Connection.java:469)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2013)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9694)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2_closure136.doCall(SaviyntGroovyLdapService.groovy:535)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2.doCall(SaviyntGroovyLdapService.groovy:527)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:248)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:11782)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure50.doCall(ArsTaskHelperService.groovy:3079)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:3070)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:175)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at org.quartz.core.JobRunShell.run(JobRunShell.java:199)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: [1;31m| Error [22;39m at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)[m"
"2024-08-12T11:24:03.153+00:00","ecm-worker","ldap.SaviyntGroovyLdapService","quartzScheduler_Worker-6-jlm7d","ERROR","Error while creating account - JSSNTEST removing tasks from the list,Could not find a unique DN to provision "

rushikeshvartak · ‎08/12/2024

Read time out is issue with server connectivity. Check with application owner

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/12/2024

I checked with the app team and the issue is fixed however I tried the latest json you sent me and this is the error

Checking DN for uid=JSSNNTST,ou=test,dc=test,dc=com.Not FOund DN for uid=JSSNNTST,ou=test,dc=test,dc=com. Error while creating account in AD - [LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL\ '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.]

rushikeshvartak · ‎08/12/2024

{
  "uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
  "pwdexp": "*NO",
  "cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
  "sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
  "text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
  "usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
  "spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\\\,*AUT\\\\,*IOCFG\\\\,*SEDM' : ''}",
  "grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
  "Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
  "grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
  "curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
  "inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
  "lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
  "jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
  "objectClass": [
    "domain",
    "top"
  ],
  "userPassword": "${randomPassword}"
}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/12/2024

Same error -->

Checking DN for uid=JSSNNTST,ou=test,dc=test,dc=com.Not FOund DN for uid=JSSNNTST,ou=test,dc=test,dc=com. Error while creating account in AD - [LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL\\ '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.

rushikeshvartak · ‎08/12/2024

Remove and try

  "spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\\\,*AUT\\\\,*IOCFG\\\\,*SEDM' : ''}",

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SSinha_ · ‎08/13/2024

Tried it still getting the same error

SSinha_ · ‎08/13/2024

Below json is working:

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": ${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '["*AL","*AUT","*IOCFG","*SEDM"]' : '[]'},
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

Saviynt Forums

AS400 LDAP connector service account json