Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AS400 LDAP connector service account json

SSinha_
Regular Contributor
Regular Contributor

Hi team,

I want to write a single createaccountjson for both service account and normal accounts in the LDAP connector for AS400. Below are both the jsons seperately however I want to segregate using conditional logic in the json.

Create account json for normal accounts, all these attributes are required(in service accounts the attributes which are absent should be null):

{ "cn": "${user.systemUserName}",
"givenName": "${user.firstname}",
"sn": "${user.lastname}",
"MxisID": "${user.username}",
"objectclass": ["top", "person", "organizationalPerson", "user", "inetOrgPerson"],
"mail": "${ if(user.email.equals(null)){manager.email} else {user.email}}",
"displayName": "${user.displayname}",
"uid": "${user.username}",
"uniqueID": "${user.username}",
"workforceID": "${user.employeeid}",
"mobile": "${user.phonenumber}",
"ou": "${user.customproperty16}",
"department": "${user.customproperty16}",
"manager": "${managerAccount?.accountID}",
"title": "${(!user.jobcodedesc)?user.jobcodedesc: (user.jobcodedesc.length() >63?user.jobcodedesc.substring(0,63):user.jobcodedesc)}",
"l": "${user.locationdesc}",
"msDS-UserAccountDisabled":"FALSE"
}
 
Create account json for service account all these attributes are needed:
{
"uid": "${ServiceAccountOwnerMap.get("ServiceAccountType") == 'service account' ? task?.accountName : user?.username}",
"pwdexp":"*YES",
"pwdexpitv":"*SYSVAL",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}
 
as you can see that in uid i have tried to segregate if the service account type is present but will the same logic work for every attribute?
 
26 REPLIES 26

rushikeshvartak
All-Star
All-Star

Yes you can use same logic. You can also use dynamic attributes ACCOUNTTYPE which is default in every service account requests


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

You mean to say utilizing accounttype atttribute to create something likethis :

${if(requestAccessAttributes.get('ACCOUNTTYPE') == 'service account'){'task.accountName'} else {'user.username'}}

And also if I want to pass null values since it is not needed in normal account I can write a a logic as mentioned below :

${ServiceAccountOwnerMap.get("ServiceAccountType") == 'service account' ? task?.accountName : ''}

 

Yes


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Esteemed Contributor
Esteemed Contributor

Hi @SSinha_ , yes the above logic should work.

Are you using ootb as400 jar connector 


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

SSinha_
Regular Contributor
Regular Contributor

I am using the LDAP connector which works on IDMWORKS Ldap gateaway. Also how can i use the above logic in a list for the attribute-->

For Normal account

 

 objectclass": ["top", "person", "organizationalPerson", "user", "inetOrgPerson"]

For Service account

"objectClass": [
"domain",
"top"

@rushikeshvartak 

Sample below

"objectClass": ${user.employeeclass=='Employee'?'[\"top\",\"person\",\"organizationalPerson\",\"ntUser\",\"inetOrgPerson\",\"hpPerson\",\"hpEmployee\"]':'[\"top\",\"person\",\"organizationalPerson\",\"ntUser\",\"inetOrgPerson\",\"hpPerson\",\"hpContingentWorker\"]'},


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thank you for the response , I am trying the same logic in ACCOUNTNAMERULE attribute but it is not working when combined and in docs I do not see any examples :

${if(ServiceAccountOwnerMap.ServiceAccountType.equals('service account'){uid=${task?.accountName},ou=testdc=dev01,dc=com} else
{uid=${user?.customproperty1.toString().toLowerCase()},ou=test,dc=dev01,dc=com'}

Individually they are working but when combined it does not work

Any error in logs ? As its working for us


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I tried a different way and it started working fine. However now I face an LDAP error using the below json in create account json. Without the conditional logic these * values are getting passed fine

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? ${DA} : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? ['*AL', '*AUT', '*IOCFG', '*SEDM'] : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

 

LDAP: error code 64 - CPD0016:Prompt request in wrong position.:Cause . . . . . : A prompt request character (?) was specified in the wrong position within the command. To prompt for an entire command, specify a single ? at the beginning of the command. Blanks following the prompt character are ignored. To prompt for a selected keyword, specify selective prompt characters before the keyword name. Selective prompt characters which cause a parameter to be selected for prompting are ??, ?*, ?<, ?/, ?&, and ?%. The characters ?- are used to cause a parameter to be omitted. Blanks are not allowed following selective prompt characters. Recovery . . . : Correct the prompt specification and then try the command again.]

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL,*AUT,*IOCFG,*SEDM' : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Getting the below error 
LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.]

Also wanted to know that while passing dynamic attribute DA we just have to pass it as a normal string? rather than ${DA}?

First pass static value I will suggest to work condition and then we you can go with dynamic


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

This json is already working with hardcoded value so I tried to apply the same logic for all attributes

 

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "*SEDM",
"spcaut": ["*AL", "*AUT", "*IOCFG", "*SEDM"],
"grpprf": "WDM",
"Owner": "*GRF",
"grpauttyp": "*PRATE",
"curlib": "*CRTT",
"inlmnu": "*SIOFF",
"lmtcpb": "*YES",
"jobd": "QBD",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\,*AUT\\,*IOCFG\\,*SEDM' : ''}",
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I am getting the below error, although this json might be correct because I am getting the same error for the json which was previously working , I will update if this works.

Checking DN for uid=JSSNTEST,ou=test,dc=tes,dc=com.Error while searching for DN-LDAP response read timed out, timeout used: 50000 ms. SAV-Error while creating account,Could not find a unique DN to provision

Do hardcoded values work?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

This json was working fine on friday but today it is giving the same error as I mentioned

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "*SEDM",
"spcaut": ["*AL", "*AUT", "*IOCFG", "*SEDM"],
"grpprf": "WDM",
"Owner": "*GRF",
"grpauttyp": "*PRATE",
"curlib": "*CRTT",
"inlmnu": "*SIOFF",
"lmtcpb": "*YES",
"jobd": "QBD",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}

Did you compared logs ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Getting this for now, not sure why suddenly it started giving naming exception error

"ldap.SaviyntGroovyLdapService","quartzScheduler_Worker-6-jlm7d","ERROR","Error while searching for DN-LDAP response read timed out, timeout used: 50000 ms."
"2024-08-12T11:24:03.226+00:00","ecm-worker","","null-jlm7d","","javax.naming.NamingException: LDAP response read timed out, timeout used: 50000 ms.; remaining name 'uid=JSSNTEST,ou=test,dc=test,dc=com' at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129) at com.sun.jndi.ldap.Connection.readReply(Connection.java:469) at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2013) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9694) at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2_closure136.doCall(SaviyntGroovyLdapService.groovy:535) at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2.doCall(SaviyntGroovyLdapService.groovy:527) at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:248) at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:11782) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure50.doCall(ArsTaskHelperService.groovy:3079) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:3070) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:175) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error javax.naming.NamingException: LDAP response read timed out, timeout used: 50000 ms.; remaining name 'uid=JSSNTEST,ou=test,dc=test,dc=com'"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.Connection.readReply(Connection.java:469)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2013)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9694)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2_closure136.doCall(SaviyntGroovyLdapService.groovy:535)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2.doCall(SaviyntGroovyLdapService.groovy:527)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:248)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:11782)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure50.doCall(ArsTaskHelperService.groovy:3079)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:3070)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:175)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at org.quartz.core.JobRunShell.run(JobRunShell.java:199)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","println.PrintlnToLogger","quartzScheduler_Worker-6-jlm7d","DEBUG","Println :: | Error  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
"2024-08-12T11:24:03.153+00:00","ecm-worker","ldap.SaviyntGroovyLdapService","quartzScheduler_Worker-6-jlm7d","ERROR","Error while creating account - JSSNTEST removing tasks from the list,Could not find a unique DN to provision "

Read time out is issue with server connectivity. Check with application owner


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I checked with the app team and the issue is fixed however I tried the latest json you sent me and this is the error 

Checking DN for uid=JSSNNTST,ou=test,dc=test,dc=com.Not FOund DN for uid=JSSNNTST,ou=test,dc=test,dc=com. Error while creating account in AD - [LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL\ '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.]

{
  "uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
  "pwdexp": "*NO",
  "cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
  "sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
  "text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
  "usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
  "spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\\\,*AUT\\\\,*IOCFG\\\\,*SEDM' : ''}",
  "grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
  "Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
  "grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
  "curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
  "inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
  "lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
  "jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
  "objectClass": [
    "domain",
    "top"
  ],
  "userPassword": "${randomPassword}"
}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Same error -->

Checking DN for uid=JSSNNTST,ou=test,dc=test,dc=com.Not FOund DN for uid=JSSNNTST,ou=test,dc=test,dc=com. Error while creating account in AD - [LDAP: error code 19 - CPD0020:Character ',' not valid following string '*AL\\ '.:Cause . . . . . : A delimiter is missing between two values or a delimiter that is not valid was found. Recovery . . . : Change the character that is not valid or if a delimiter is missing insert one. More information on delimiters can be found in the Information Center.

Remove and try

  "spcaut": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*AL\\\\,*AUT\\\\,*IOCFG\\\\,*SEDM' : ''}",

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Tried it still getting the same error

SSinha_
Regular Contributor
Regular Contributor

Below json is working:

{
"uid": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? task?.accountName : user?.customproperty1.toString().toLowerCase()}",
"pwdexp": "*NO",
"cn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.firstname}",
"sn": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '' : user?.lastname}",
"text": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? DA : user?.lastname + ', ' + user?.firstname}",
"usrcls": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SEDM' : ''}",
"spcaut": ${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '["*AL","*AUT","*IOCFG","*SEDM"]' : '[]'},
"grpprf": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'WDM' : ''}",
"Owner": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*GRF' : ''}",
"grpauttyp": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*PRATE' : ''}",
"curlib": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*CRTT' : ''}",
"inlmnu": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*SIOF' : ''}",
"lmtcpb": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? '*YES' : ''}",
"jobd": "${ServiceAccountOwnerMap.get('ServiceAccountType') == 'service account' ? 'QBD' : ''}",
"objectClass": [
"domain",
"top"
],
"userPassword": "${randomPassword}"
}