and more in a single search tool across platforms. Read the announcement here. |
04/29/2024 11:11 AM
Hi,
I am trying to provision an AD account via Saviynt and getting the following error:
My createaccountjson:
{
"co": "${user.country}",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayname": "${user.username}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"userPrincipalName": "${user.username}@domain.org",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
]
}
AccountNameRule:
CN=${user.username},OU=Saviynt_Dev_1,OU=Saviynt UAT,OU=XXX,DC=XXX,DC=XXX
Thank you.
Solved! Go to Solution.
04/29/2024 11:23 AM
@TheSaviyntBoy can you check you have access to create account in AD or not , check with them
04/29/2024 11:44 AM
Service Account in AD Connector does not have sufficient access to create account in AD.
LDAP error code 50 typically indicates that the requested operation is not permitted. In the context of Active Directory (AD), this error commonly occurs due to insufficient permissions or access rights. To resolve this issue, you need to ensure that the account used to perform the operation has appropriate permissions in the AD environment.
Create User Objects: The service account must have the "Create User Objects" permission on the desired Organizational Unit (OU) or container where the user accounts will be created. This permission allows the service account to create new user objects within that OU.
04/29/2024 12:00 PM
The service account that you are using doesnt have enough permission.
Can you try one thing?
Try to create same account directly in AD with same service account and see if the account is getting created successfully.
05/02/2024 12:47 AM
It was the permission issue for that particular OU. Thank you @Raghu @rushikeshvartak @dgandhi
But now I am getting a different error:
2024-05-02T13:02:37+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-6qp52-ERROR-Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C0912F3, comment: Error in attribute conversion operation, data 0, v4f7c]
CreateAccountJSON:
{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static COmpany value",
"department": "${user.departmentname}",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customProperty1}",
"email": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": ["top", "person", "organizationalPerson", "user"],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}
I suspect one of the attribute here is breaking?
Thank you.
05/02/2024 12:52 AM
@TheSaviyntBoy try chnage like below and chekc it
"employeeNumber": "${user.customproperty1}",
05/02/2024 12:59 AM
Still getting the same error. Also updating the createaccountjson, missed a few attributes in the previous one.
{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static company name",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"mail": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}
05/02/2024 10:01 PM
Remove manager attribute
05/02/2024 11:26 PM
Validate with the sample from this thread :
Solved: Error in my createaccountjson for Active Directory - Saviynt Forums - 20690
Solved: Create Account Json - Manager - Saviynt Forums - 24866
05/07/2024 12:10 AM
The "password" attribute was causing the issue, as well as the permissions issue too. Its working now.
Thank you guys.