and more in a single search tool across platforms. Read the announcement here. |
12/20/2022 09:28 PM
Hi,
We have couple of enterprise role in place.
Whenever we make request for that role, task is getting generated, but during provisioning, task gets errored out with below error.
2022-12-21, 04:04 pm
ecm-worker
{"log":"javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580\u0000]; remaining name 'CN=APP-SAV-DEV-Compliance,OU=Saviynt,OU=Security,OU=Groups,OU=AAD,OU=HSP,DC=AU,DC=AD,DC=HSP'\n","stream":"stdout","time":"2022-12-21T05:04:22.106844017Z"}
When we make request for other enterprise role, it is working fine, but for this error is coming.
Can someone help me on this error as attribute is not specifically mentioned?
Thanks!
Sanket Bhandhari
12/20/2022 09:31 PM
What is task type, share respective json
12/20/2022 09:33 PM
Hi Rushikesh,
Thanks for replying.
Task type is Add Access.
For JSON, can you please let me know which JSON you are looking for?
Thanks!
Sanket Bhandhari
12/21/2022 09:47 AM
You might encounter this error if either any attribute name or value being passed to AD is incorrect or one of the attributes you are passing to add access does not exist in the AD or is empty .
Please compare these attribute/values with existing values in AD to see if there is any discrepancy in how the data is being passed. Also , can you please try to pass SUPPORTEMPTYSTRING = true in the connection and see if this works?
If you still can't find the solution , please raise an FD for the Saviynt Support to assist you.
12/21/2022 06:21 PM
Thanks for replying Rushikesh, but if this is the case it should not work for other enterprise role as well.
We are using same user with same attributes for both the roles.
For one role, working as expected.
For other role, task is getting errored out.
Thanks!
Sanket Bhandhari
12/22/2022 07:29 AM
Please share more logs
12/22/2022 06:49 PM
12/22/2022 07:37 PM
"ecm-worker","2022-12-23T02:44:01.885+0000","{"log":"2022-12-23 02:44:01,075 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - AD addmap :: [groups:CN=D-TY PARK,OU=Users,OU=ACHASA1177,OU=ACHA,OU=TestHSP,DC=AU,DC=AD,DC=HSP,]\n","stream":"stdout","time":"2022-12-23T02:44:01.075473829Z"}"
"ecm-worker","2022-12-23T02:44:01.885+0000","{"log":"2022-12-23 02:44:01,075 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - AD ADD loop\n","stream":"stdout","time":"2022-12-23T02:44:01.075487498Z"}"
"ecm-worker","2022-12-23T02:44:01.885+0000","{"log":"2022-12-23 02:44:01,229 [quartzScheduler_Worker-2] ERROR ldap.SaviyntGroovyLdapService - Exception \n","stream":"stdout","time":"2022-12-23T02:44:01.229862276Z"}"
"ecm-worker","2022-12-23T02:44:01.885+0000","{"log":"javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580\u0000]; remaining name 'CN=APP-SAV-DEV-ServiceDesk,OU=Saviynt,OU=Security,OU=Groups,OU=AAD,OU=HSP,DC=AU,DC=AD,DC=HSP'\n","stream":"stdout","time":"2022-12-23T02:44:01.229890217Z"}"
"ecm-worker","2022-12-23T02:44:01.885+0000","{"log":"\u0009at
Is this correct group name ?
Also confirmed user does not have role as direct /nested in AD
12/22/2022 07:43 PM - edited 12/25/2022 07:26 PM
Hi Rushikesh,
We were also able to locate this same error.
Group name is correct one.
Please find below snippets of user in Saviynt.
User is not having any role in AD.
Thanks!
Sanket Bhandhari
12/23/2022 10:58 AM
its ssl or non ssl connection
12/25/2022 07:20 PM
Non-SSL Connection
12/25/2022 07:53 PM
Make connection SSL . it should work
12/25/2022 08:06 PM
Hi Rushikesh,
How we can make it an SSL connection?
Thanks!
Sanket Bhandhari
12/25/2022 08:39 PM
12/25/2022 09:06 PM
But Rushikesh, I still have one doubt over here before proceeding with this.
Why it is working fine for one of the role even with NON-SSL Connection and not working for other role?
Thanks!
Sanket Bhandhari
12/25/2022 10:17 PM
This are debug we are checking
12/25/2022 10:51 PM
I didn't get you Rushikesh!
Thanks!
Sanket Bhandhari
12/25/2022 11:22 PM
We are trying to check if it resolves issue or not
01/02/2023 09:38 PM
@rushikeshvartak any updates?
01/02/2023 10:20 PM
Raise freshdesk ticket
12/23/2022 02:28 PM
I hope you are doing SSL connection to AD. If not can you try making an SSL connection to AD and see if it fixes the issue?
12/25/2022 07:21 PM
We are using Non-SSL Connection.
12/21/2022 01:32 PM
@Sanket : If I understood your issue you have couple of Enterprise roles which gives access to certain AD entitlements from same endpoint. Out of which one of the enterprise role is failing to provision AD entitlement which was reported but rest other enterprise roles are working as expected is that correct understanding?
If so then can you check the status of the reported entitlement in Saviynt? Make sure that is Active vs Inactive. Also can you confirm that entitlement do exist on target?
12/21/2022 06:18 PM - edited 12/21/2022 06:21 PM
Hi SK,
Thanks for replying!
Yes, you have understood the issue correctly.
Status of reported entitlement in Saviynt is already ACTIVE and it does exists on target as well.
Thanks!
Sanket Bhandhari
01/15/2023 10:12 PM
We are connecting to AD using port 636 but we have not installed any AD related SSL certificate in Saviynt but able to connect. I hope, that indicates we are using SSL connection as we are communicating through 636.
01/16/2023 04:30 AM
If your provisioning works then there should not be any issues
01/16/2023 02:58 PM
Thanks Rushikesh, the problem here is the same group is working for one user out of 10 users. We tried to compare the attributes between the success and failure users but could not find any, still getting the attribute conversion error and tried to capture logs at AD side but not much information., attaching the logs for review.
01/17/2023 09:14 PM
Does this group exists ?
addmap :: [groups:CN=D-SAMEER KUMARA911,OU=Users,OU=CORPVIC1006,OU=CORP,OU=TestHSP,DC=AU,DC=AD,DC=HSP,]\n","stream":"stdout","time":"2023-01-16T05:17:40.610695324Z"}"
Share log for working user
01/17/2023 09:58 PM
01/17/2023 09:31 PM
This is the user on which we tried to provision group.
01/17/2023 09:50 PM
User active in saviynt ? Lockedstatus ?
01/17/2023 10:00 PM
Users are active in Saviynt.
01/23/2023 02:42 PM
What attributes usually passed from Saviynt to AD during AD group provisioning. As per AD APIs, we need to pass sAMAccountName to add a group at AD end.