Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:22 PM
Hi Everyone,
I am trying to configure a new connection to provision admin accounts via birthright assignment( Secondary one in addition to regular primary AD account which is already getting provisioned fine).
I seem to be getting stuck in Accountrename rule.Configurations for primary AD accounts were already set up and are already getting Provisioned fine.
I went through couple of questions posted in forum here and still seem to get stuck.
Could you please check and do the needful?
Here is my sample Create Account JSON
"sAMAccountName": "${user.username.toLowerCase()+'-Admin'}",
"displayName": "${user.lastname.toLowerCase()+'-Admin'},${user.preferedFirstName}",
"userPrincipalName": "${user.username.toLowerCase()+'-Admin'}@XYZ.org",
"name": "${user.lastname.toLowerCase()+'-Admin'},${user.preferedFirstName}",
"cn": "${user.username+'-Admin'}",
"sn": "${user.lastname.toLowerCase()+'-Admin'}",
"pwdLastSet": "0"
USER_ATTRIBUTE also has DN mapped to one of CP
We have the ACCOUNT_ATTRIBUTE with the below entry.
ACCOUNTID::distinguishedName#String,
I am trying to configure the ACCOUNTNAMERULE and tried with few combinations in using backslash to escape comma and space between last name and firstname. I have pasted two different messages observed in pending tasks/debug logs
It seem to not accept the DN
1) CN=${user?.lastname+'-Admin'}\\\,\ ${user?.firstname},OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
2)
CN=${user?.lastname}-Admin\\, ${user?.firstname},OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
3) CN=${user?.lastname+'-Admin'}\\\,\ ${user?.firstname},OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
I can see the user's primary account getting provisioned to this
CN=Testuser32\, Namedadmin32,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=local
Debug Logs
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)
at javax.naming.ldap.LdapName.parse(LdapName.java:785)
at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
at com.saviynt.ldap.SaviyntGroovyLdapService.escapeLDAPSpecialChars(SaviyntGroovyLdapService.groovy:6924)
at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure3_closure103.doCall(SaviyntGroovyLdapService.groovy:491)
at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure3.doCall(SaviyntGroovyLdapService.groovy:486)
at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:259)
at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:10422)
at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure46.doCall(ArsTaskHelperService.groovy:2883)
at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:2874)
at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:160)
at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:145)
at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:221)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)
2022-03-16/13:35:03.222 [{{trace.id,b6510bab7643dd4806b531ba675ecf95}{transaction.id,a1092bc410309272}}] [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - modifieddn = CN=Testuser32-Admin\\, Namedadmin32,OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
2022-03-16/13:35:03.830 [{{error.id,a2cce1df34b0442ad6ee970682bbd821}{trace.id,b6510bab7643dd4806b531ba675ecf95}{transaction.id,a1092bc410309272}}] [quartzScheduler_Worker-2] ERROR ldap.SaviyntGroovyLdapService - Error while creating account ntestu61 in AD - Invalid name: CN=Testuser32-Admin\\, Namedadmin32,OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
javax.naming.InvalidNameException: Invalid name: CN=Testuser32-Admin\\, Namedadmin32,OU=XXXX,OU=XXXX,OU=SystemUsers,DC=XXXX,DC=XXXX,DC=local
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)
at javax.naming.ldap.LdapName.parse(LdapName.java:785)
at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure3.doCall(SaviyntGroovyLdapService.groovy:546)
at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:259)
at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:10422)
at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure46.doCall(ArsTaskHelperService.groovy:2883)
at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:2874)
at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:160)
at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:145)
at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:221)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
Error while creating account in AD - Failed to parse template script (your template may contain an error or be trying to use expressions not currently supported): startup failed: SimpleTemplateScript1768.groovy: 1: unexpected char: '\' @ line 1, column 45. N=${user?.lastname+'-Admin'}\\\,\ ${user ^ 1 error Error while creating account in AD - Failed to parse template script (your template may contain an error or be trying to use expressions not currently supported): startup failed: SimpleTemplateScript1770.groovy: 1: unexpected char: '\' @ line 1, column 45. N=${user?.lastname+'-Admin'}\\\,\ ${user ^ 1 error Error while creating account in AD - Failed to parse template script (your template may contain an error or be trying to use expressions not currently supported): startup failed: SimpleTemplateScript1772.groovy: 1: unexpected char: '\' @ line 1, column 45. N=${user?.lastname+'-Admin'}\\\,\ ${user ^ 1 error
Thanks
Shyam
Solved! Go to Solution.
04/12/2022 03:08 PM
Shyam,
What is the format of the DN that you are expecting from your logic ?
Regards,
Avinash Chhetri
04/12/2022 03:08 PM
Hi Avinash
Thank you for looking into it.
Something like this.
CN=Lastname-Admin\, FirstName,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX
Thanks
Shyam
04/12/2022 03:08 PM
Shyam,
Here's a sample with an if-else that will generate the DN based on the EmployeeType. Give it a try :
${
if(user?.employeeType.equals('Employee'))
{'cn='+user.lastname+'-Admin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
else{'cn='+user.lastname+'-NonAdmin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
}
Regards,
Avinash Chhetri
04/12/2022 03:08 PM
Thanks Avinash,
I tried with the accountname rule suggested and I get
Checking DN for 'cn='+user.lastname+'-Admin\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'.Error while searching for DN-'cn='+user.lastname+'-Admin\,
'+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX': close quote appears before end of component SAV-Error while creating account,Could not find a unique DN to provision
I also tried based on the Account name rule mentioned in documentation
CN=${user.lastname}\\, ${user.firstname} (Admin) [${user.username}],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX###
CN=${user.lastname}1\\, ${user.firstname}1 (Admin) [${user.username}1],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX###
CN=${user.lastname}\\, ${user.firstname}2 (Admin) [${user.username}2],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX
I get the below error
LDAP: error code 34 - 00002081: NameErr: DSID-03050EB3, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of: 'CN=Testuser40\, Namedadmin40 (Admin) [ntestu87],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX' ]
Checking DN for CN=Testuser40\, Namedadmin40 (Admin) [ntestu87],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX.
Not FOund DN for CN=Testuser40\, Namedadmin40 (Admin) [ntestu87],OU=EI,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX.
Error while creating account in AD - CN=Testuser40\, Namedadmin40 (Admin) [ntestu87],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX:
LDAP: error code 34 - 00002081: NameErr: DSID-03050EB3, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of: 'CN=Testuser40\, Namedadmin40 (Admin) [ntestu87],OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX ]
Thanks
Shyam
04/12/2022 03:08 PM
Shyam,
The error says that the DN is already taken in your AD. a DN or a Distinguished Name is something that has to be unique within the system to uniquely identify an entity.
In this case, you could write additional logic to handle duplicate scenarios, in the example below, I am adding a numeric value 1 after the first name. You can add multiple entries and incorporate middle initial, substring first/last names etc to get a unique DN.
${
if(user?.employeeType.equals('Employee'))
{'cn='+user.lastname+'-Admin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
else{'cn='+user.lastname+'-NonAdmin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
}###${
if(user?.employeeType.equals('Employee'))
{'cn='+user.lastname+'-Admin\\, '+user.firstname+’1,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
else{'cn='+user.lastname+'-NonAdmin\\, '+user.firstname+’1,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
}
The second issue is a case of incorrect DN Syntax hence the error of the DN BAD_ATT_SYNTAX.
Please point me to the documentation link .
Regards,
Avinash Chhetri
04/12/2022 03:08 PM
Thanks Avinash
I would give a try.
I agree first error says DN is not unique ..It also says
close quote appears before end of component SAV
I tried to check ,but I am not seeing anything related to that,
Also here is the link from documentation which I referred( my second part of my previous message)
AccountNameRule Example 1
Thanks
Shyam
04/12/2022 03:08 PM
Hello Avinash
I tried the one suggested.. I seem to be getting template script error. Not sure where it is picking up.
Also last weekend, I was reattempting all the different config changes that I was making to Accountnamerule and Update Account json and documented different errors for each modification.
The only other thing I observed was when I EITHER modify accountnamerule to just ${user.custompropertyxx, the task corresponding to secondaryaccount get completed,however in AD, I see just the primary account( This CP has DN of user) and not the secondary account!!
If I try to give something like CN=XXX \\, OU=XXX...in Accountname it throws LDAP errors
So I am just trying to escape DN in right way to provision this secondary account.
AccountNamerule
"${
if(user?.employeeType.equals('Employee'))
{'cn='+user.lastname+'-Admin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
else{'cn='+user.lastname+'-NonAdmin\\, '+user.firstname+',OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
}###${
if(user?.employeeType.equals('Employee'))
{'cn='+user.lastname+'-Admin\\, '+user.firstname+’1,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
else{'cn='+user.lastname+'-NonAdmin\\, '+user.firstname+’1,OU=XXX,OU=XXX,OU=SystemUsers,DC=XXX,DC=XXX,DC=XXX'}
}"
Error
Error while creating account in AD - Failed to parse template script (your template may contain an error or be trying to use expressions not currently supported): startup failed: SimpleTemplateScript39.groovy: 5: expecting ''', found '\n' @ line 5, column 180. XXXX,DC=XXXX,DC=XXX'} ^ 1 error
Thanks
Shyam
04/12/2022 03:08 PM
Shyam,
Please try using the JSON I provided, copy that in a notepad, remove all the new lines characters and then try.
Regards,
Avinash Chhetri