Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, commen

asharma
Regular Contributor II
Regular Contributor II

Hi Team,

We are getting below errors while we are provisioning an AD account from Saviynt. We tried with lot of attributes but getting different errors and unable to provision the account. Below list are th error messages.

Duplicate New Account Task
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - No such property: departmentnumber for class: com.saviynt.ecm.identitywarehouse.domain.Users Possible solutions: departmentNumber, departmentname
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - No such property: employeetype for class: com.saviynt.ecm.identitywarehouse.domain.Users Possible solutions: employeeType
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - No such property: secondaryphone for class: com.saviynt.ecm.identitywarehouse.domain.Users Possible solutions: secondaryPhone
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - No such property: jobcode for class: com.saviynt.ecm.identitywarehouse.domain.Users Possible solutions: jobCode
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 19 - 00002082: AtrErr: DSID-03151D4E, #1: 0: 00002082: DSID-03151D4E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 6 (c):len 10 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 19 - 00002082: AtrErr: DSID-03151D4E, #1: 0: 00002082: DSID-03151D4E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 6 (c):len 10 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 19 - 00002082: AtrErr: DSID-03151D4E, #1: 0: 00002082: DSID-03151D4E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 6 (c):len 10 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 19 - 00002082: AtrErr: DSID-03151D4E, #1: 0: 00002082: DSID-03151D4E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 6 (c):len 10 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - No such property: passwordexpired for class: SimpleTemplateScript31
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0 ]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]
Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E4C, comment: Error in attribute conversion operation, data 0, v2580]

 

 

 

CreateAccount JSON -

{
"givenName": "${user.firstname}",
"sn": "${user.lastname}",
"displayName": "${user.displayname}",
"sAMAccountName": "${task.accountName}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"userPrincipalName": "${user.username}@ad.com",
"mailNickname": "${task.accountName}",
"password":"SaviY!nt@007"
}

 

AccountNameRule - 

CN=${task.accountName},OU=UserAcct,OU=Test User Accounts,DC=HB,DC=CORP###CN=${task.accountName}1,OU=UserAcct,OU=Test User Accounts,DC=HB,DC=CORP###CN=${task.accountName}2,OU=UserAcct,OU=Test User Accounts,DC=HB,DC=CORP

CheckForUnique - 

{"email": "${user.firstname}.${user.lastname}@hillenbrand.com###${user.firstname}.${user.lastname}1@hillenbrand.com###${user.firstname}.${user.lastname}2@hillenbrand.com###${user.firstname}.${user.lastname}3@hillenbrand.com###${user.firstname}.${user.lastname}4@hillenbrand.com"}
{"userPrincipalName": "${user.firstname}.${user.lastname}@hillenbrand.com###${user.firstname}.${user.lastname}1@hillenbrand.com###${user.firstname}.${user.lastname}2@hillenbrand.com###${user.firstname}.${user.lastname}3@hillenbrand.com###${user.firstname}.${user.lastname}4@hillenbrand.com"}

 

Please suggest the fix asap as we are stuck on this point from last 2 days.

11 REPLIES 11

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @asharma

Here are the steps to address the provisioning issues you are facing:

Step 1:
Please verify that the service account being used for the connections has sufficient privileges to perform CRUD operations in Active Directory (AD). It should have the necessary permissions for creating, modifying, and deleting user accounts.

Step 2:
Ensure that your `create-account` JSON includes all the mandatory attributes required for provisioning in AD, such as the `manager` attribute and `departmentNumber`. Based on the error logs you provided, it appears that these attributes are missing. Please refer to the documentation provided below for the specific attributes required and modify your JSON accordingly.

Step 3:
Double-check the Distinguished Name (DN) for the target Organizational Unit (OU) in the `create-account` JSON. The correct DN should be: OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Make sure the DN is accurate and matches the actual location in AD.


For Ref:- https://forums.saviynt.com/t5/saviynt-knowledge-base/ad-integration-for-account-and-access-provision... 

If you find the above response useful, Kindly Mark it as "Accept As Solution".

asharma
Regular Contributor II
Regular Contributor II

Hi Sudesh

i followed your steps and now i am getting below error.

Checking DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP.Not FOund DN for CN=sharan11,OU=UserAcct,OU=Test User Accounts,DC=HLB,DC=HI,DC=CORP. Error while creating account in AD - Failed to parse template script (your template may contain an error or be trying to use expressions not currently supported): startup failed: SimpleTemplateScript44.groovy: 6: expecting ')', found '}' @ line 6, column 76. != null?user.departmentname:''}\", ^ 1 error

 

 

Json i used is below:

{
"accountExpires": "0",
"cn": "${user.systemUserName}",
"co": "${user.country!=null?user.country:''}",
"company": "${user.companyname!=null?user.companyname:''}",
"department": "${ if(user.departmentname != null?user.departmentname:''}",
"departmentNumber": "${user.departmentnumber != null?user.departmentnumber:''}",
"description": "${user.displayname!=null?user.displayname:''}",
"displayName": "${user.displayname!=null?user.displayname:''}",
"employeeID": "${user.employeeid != null ? user.employeeid : ''}",
"employeeType": "${user.employeeType != null ? user.employeeType : ''}",
"givenName": "${user.preferedFirstName!=null?user.preferedFirstName:''}",
"l": "${user.city != null ? user.city : ''}",
"mail": "${user.email != null ? user.email : ''}",
"manager": "${ if (managerAccount == null || managerAccount?.accountID == null || managerAccount?.accountID == '' || managerAccount == '01'){''} else {managerAccount?.accountID} }",
"mobile": "${user.secondaryPhone!=null?user.secondaryPhone:''}",
"objectClass": ["top", "person", "organizationalPerson", "user"],
"sAMAccountName": "${user.systemUserName}",
"sn": "${user.lastname}",
"st": "${user.state != null ? user.state : ''}",
"streetAddress": "${user.street!=null?user.street:''}",
"telephoneNumber": "${user.phonenumber != null ? user.phonenumber : ''}",
"title": "${user.title!=null?user.title:''}",
"userAccountControl": "512",
"userPrincipalName": "${user.email}"
}

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @asharma,

Can you please try the below json,


{

  "co": "${user.country}",

  "department": "${user.costcenter}",

  "description": "Created through Saviynt",

  "displayname": "${user.displayname}",

  "division": "${user.departmentNumber}",

  "employeeID": "${user.employeeid}",

  "employeeType": "${user.employeeType}",

  "givenName": "${user.firstname}",

  "info": "Assoc Nbr: ${user.employeeid} Operator ID: ${user.systemUserName} Service Date: ${user.customproperty51} Role: ${user.jobcodedesc}",

  "l": "${user.city}",

  "mail": "${user.email}",

  "mobile": "${user.customproperty8}",

  "otherTelephone": "${user.customproperty14}",

  "postalCode": "${user.customproperty5}",

  "sAMAccountName": "${user.systemUserName}",

  "sn": "${user.lastname}",

  "st": "${user.state}",

  "streetAddress": "${user.street}",

  "telephoneNumber": "${user.phonenumber}",

  "thumbnailPhoto": "${user.customproperty65}",

  "title": "${user.title}",

  "userPrincipalName": "${user.systemUserName}@cerncd.com",

  "objectClass": [

    "top",

    "person",

    "organizationalPerson",

    "user"

  ]



Note: The mapping provided in this example JSON is for illustration purposes only. It should be adjusted according to your specific system/setting requirements.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

asharma
Regular Contributor II
Regular Contributor II

It works thankyou

asharma
Regular Contributor II
Regular Contributor II

Kindly reopen,

Below code is working earlier but not working now.

{
"co": "${user.country}",
"department": "${user.costcenter}",
"description": "Created through Saviynt",
"displayname": "${user.displayname}",
"departmentNumber": "${user.departmentNumber}",
"employeeID": "${user.employeeid}",
"employeeType": "${user.employeeType}",
"givenName": "${user.firstname}",
"info": "Assoc Nbr: ${user.employeeid} Operator ID: ${user.systemUserName} Service Date: ${user.customproperty51} Role: ${user.jobcodedesc}",
"l": "${user.city}",
"mail": "${user.email}",
"mobile": "${user.customproperty8}",
"otherTelephone": "${user.customproperty14}",
"postalCode": "${user.customproperty5}",
"sAMAccountName": "${user.systemUserName}",
"sn": "${user.lastname}",
"st": "${user.state}",
"streetAddress": "${user.street}",
"telephoneNumber": "${user.phonenumber}",
"title": "${user.title}",
"userPrincipalName": "${user.email}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == ''){''} else {managerAccount?.comments} }",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
]
}

 

Please help here, what's going wrong

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @asharma,

Can you please check if there have been any changes or upgrades to the system or the on-AD side? Also, can you verify if the certificate is still valid or if it has expired?
What are you seeing in the logs?

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

asharma
Regular Contributor II
Regular Contributor II

No changes are been made however we feel that the saviynt users has messed data which may causing this issue. Moreover, if we want to safe ourseleves with any failure of any messed data on the mentioned syntax then what syntax we should use in order to save it from messy data.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @asharma,

You can check the history under connections when and what changes were made,

sudeshjaiswal_0-1686219160014.png

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

asharma
Regular Contributor II
Regular Contributor II

Below is the error message when i am trying to provision/create account in AD through svaiynt.

Error while creating account in AD - [LDAP: error code 19 - 000021C8: AtrErr: DSID-03200E93, #1: 0: 000021C8: DSID-03200E93, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName) ]

asharma
Regular Contributor II
Regular Contributor II

It is working now, issue was with data which i was putting while creating the user.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @asharma,

Thanks for the confirmation that the issue has been resolved.

If you find the above response useful, Kindly Mark it as "Accept As Solution".