and more in a single search tool across platforms. Read the announcement here. |
10/31/2022 02:52 AM
We have below JSON in EnableAccountJSON attribute for AD connector. The Enable account task is failing with below error.
SAV-Error while enabling account,No account found using disable rules
JSON:
{
"ATTRIBUTESTOCHECK":{"sAMAccountName":"${user.systemUserName}","uid":"${user.username}"},
"REMOVEGROUPS":"NO",
"USEDNFROMACCOUNT":"YES",
"MOVEDN": "YES",
"AFTERENABLEACTIONS":{"userAccountControl":"512"}
}
Solved! Go to Solution.
10/31/2022 04:34 AM
Try movedn : no
11/02/2022 12:25 AM
Hi Rushikesh,
Still getting the same error.
11/02/2022 12:46 PM
Does Account exists with specified sAMACoountName & Uid
11/02/2022 01:52 AM
Can you please validate few items :
ENABLEACCOUNTJSON Sample :
"DISABLEACCOUNTCHECKRULE": "[CN=${user.firstname}${user.lastname},cn=Users,dc=XX,dc=XX,dc=com,CN=${user.firstname}${user.middlename},cn=Users,dc=corpAD,dc=XX,dc=com]",
"ENABLEACCOUNTOU": "OU=CloudUsers,DC=XX,DC=com",
"ATTRIBUTESTOCHECK": "{userAccountControl:514,sn:${user.lastname},cn:${user.firstname}",
"REMOVEGROUPS": "YES",
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "NO",
}
Note :
MOVEDN: Use this attribute to move the account to a different container. When set to Yes, the connector moves the account to a different container. This requires you to specify the name of the new container in the ENABLEACCOUNTOU attribute
11/02/2022 03:59 PM
Hi Rushekesh,
yes the account exists with the same sAMAccountName.
11/03/2022 02:20 AM
You need try permutations combinations with attribute with yes no
11/09/2022 05:59 PM
I have tried all the combinations here and also tried with simple json as below but still throwing the same error
{
"AFTERENABLEACTIONS": {"userAccountControl" : "512","msExchHideFromAddressLists":"FALSE"}
}
SAV-Error while enabling account,No account found using disable rules
11/09/2022 08:55 PM
@jdoma - from the error, it looks like you are missing the following parameter in the JSON - DISABLEACCOUNTCHECKRULE.
11/10/2022 06:10 AM
Hi All,
Even we are facing similar error while enabling the account in AD.
In our case we are not even moving the account to different OU when it is disabled.
Logs for quick reference :
{"log":"2022-11-10 13:49:21,291 [quartzScheduler_Worker-1] ERROR ldap.SaviyntGroovyLdapService - No account found using disable rules \n","stream":"stdout","time":"2022-11-10T13:49:21.291682965Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,293 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - Inside updateProvisioningTries..\n","stream":"stdout","time":"2022-11-10T13:49:21.293757009Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - Entering provisionAccesstoAccountSaviynt\n","stream":"stdout","time":"2022-11-10T13:49:21.301137606Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - {tmanagement3=[]}\n","stream":"stdout","time":"2022-11-10T13:49:21.301160726Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - EnableAccount\n","stream":"stdout","time":"2022-11-10T13:49:21.301164834Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - accountID before merge = CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com\n","stream":"stdout","time":"2022-11-10T13:49:21.301214753Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,303 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - accountID after merge = CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com\n","stream":"stdout","time":"2022-11-10T13:49:21.303515776Z"}
Any leads would be helpful.
Regards,
Arjun Gadgul
11/10/2022 10:19 PM
@arjungadgul - What is your JSON like? Do you have DISABLEACCOUNTCHECKRULE in the disable account JSON? From the error logs it looks like the rule for DISABLEACCOUNTCHECKRULE parameter is not matching the DN which you have for the disabled account.
11/10/2022 05:16 PM
Im using the below json under EnableAccount.
{
"DISABLEACCOUNTCHECKRULE": ["CN=${user.firstname} ${user.lastname},OU=Deleted Users,OU=TestHSP,DC=AU,DC=AD,DC=HSP"],
"ENABLEACCOUNTOU": "OU=Users,${if(user.siteid.toString().toLowerCase().contains('corp')){'OU=CORPNSW1006,OU=CORP,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
else if(user.siteid.toString().toLowerCase().contains('hosp')){'OU=HOSPACT1018,OU=HOSP,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
else if(user.siteid.toString().toLowerCase().contains('acha')){'OU=ACHA,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
}",
"ATTRIBUTESTOCHECK":{"userAccountControl":"514","healthscopeUID":"${user.username}"},
"REMOVEGROUPS":"NO",
"USEDNFROMACCOUNT":"YES",
"MOVEDN": "YES",
"AFTERENABLEACTIONS":{"userAccountControl":"512","msExchHideFromAddressLists":"FALSE"}
}
Getting below error: Checking DN for CN=D-SAMEER KUMARA908,OU=Deleted Users,OU=TestHSP,DC=AU,DC=AD,DC=HSP. Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object SAV-Error while enabling account,No account found using disable rules.
I can see the user under Deleted Users OU in AD.
11/10/2022 10:20 PM
@jdoma - Could you pls post the logs(not just the error part, at least 100 lines before & after) when a single task is executed for the disable account?
11/12/2022 11:48 AM
11/13/2022 09:38 PM
@jdoma - From the logs it looks like that the search was successful, the application determined the disabled account from LDAP, however the mapping for the DN could be the issue. What is the mapping for distinguished name or DN in the account attributes?
11/13/2022 10:17 PM
@amit_krishnajit - We are using below JSON for EnableAccount
{
"DISABLEACCOUNTCHECKRULE":"[CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com]",
"MOVEDN" : "NO",
"REMOVEGROUPS" : "NO" ,
"AFTERMOVEACTIONS" : { "userAccountControl" : "544" , "lockoutTime":"0"}
}
Now we are getting below error:
SAV-Error while enabling account,Cannot cast object '[CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com]' with class 'java.lang.String' to class 'java.util.List'
Regards,
Arjun Gadgul
11/13/2022 10:29 PM
@arjungadgul - the placement of double quotes seems to be incorrect in the JSON for the parameter DISABLEACCOUNTCHECKRULE. It's a list, so the values should have double quotes instead of the list itself.
Incorrect:
"DISABLEACCOUNTCHECKRULE":"[CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com]",
Correct:
"DISABLEACCOUNTCHECKRULE":[ "CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com"],
11/14/2022 11:00 PM
Hello @amit_krishnajit - Thanks, We were able to fix it.
AD connector guide document is misleading -
{
"DISABLEACCOUNTCHECKRULE": "[CN=${user.firstname}${user.lastname},cn=Users,dc=corpAD,dc=abccompany,dc=com,CN=${user.firstname}${user.middlename},cn=Users,dc=corpAD,dc=abccompany,dc=com]",
"ENABLEACCOUNTOU": "OU=CloudUsers,DC=abccompany,DC=com",
"ATTRIBUTESTOCHECK": "{userAccountControl:514,sn:${user.lastname},cn:${user.firstname}",
"REMOVEGROUPS": "YES",
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "NO",
}
If you can get it corrected pleas..
Regards,
Arjun Gadgul
11/16/2022 05:24 PM
Thankyou all, we are able to fix the issue using below json
{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"ENABLEACCOUNTOU":"OU=CloudUsers,DC=abccompany,DC=com",
"healthscopeUID": "${user.username}",
"AFTERMOVEACTIONS" : {
"userAccountControl": "512"}
}