Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/29/2024 04:38 AM - last edited on 07/30/2024 03:19 AM by Sunil
Hi Team,
We have requirement to provision multiple accounts in different OU's in Active Directory for same user. Under OU=AdminAccounts,OU=People we have different sub OUs as below.
ACCOUNTNAMERULE : CN=${'admin' + user.customproperty42 + ',OU=' + AdminAccType + ',OU=AdminAccounts,OU=People,DC=XXX'}###CN=${'admin' + user.customproperty42 + '01' +',OU=' + AdminAccType + ',OU=AdminAccounts,OU=People,DC=XXX'}
Note: AdminAccType is a dynamic attribute, user can select any one sub OU (Backup Admins, Beacon Admins, DevOPS Admins)
CHECKFORUNIQUE: {
"userPrincipalName":"${'admin'+user.customproperty42}###${'admin'+user.customproperty42}01",
"sAMAccountName":"${'admin'+user.customproperty42}###${'admin'+user.customproperty42}01"
}
We are able to create the first user- account in any OU successfully, but for second account it causes issue with sAMAccountName.
Scenario 1: User ABC has a first account under OU= Backup Admins with cp42 value as ABC. as per mentioned rules.
DN ---> CN=adminABC,OU= Backup Admins,OU=AdminAccounts,OU=People
sAMAccountName ---> adminABC
if the same user raises 2nd AD account under OU=Beacon Admins, in this case it fails to create the second account with mentioned rules.
As DN value is combination of CN value and OU. in this case AccountNameRule again evaluates first condition(without 01) because OU=Beacon is different value and sAMAccountName rule evaluates the second condition as sAMAccountName already exists.
DN ---> CN=adminABC,OU= Beacon Admins,OU=AdminAccounts,OU=People
sAMAccountName ---> adminABC01
Due to difference in CN and sAMAccountName values it fails to execute. Is there any way to pass same value for DN and sAMAccountName in these scenarios.
Can you please update on this. is there any approach to achieve this.
[This message has been edited by moderator to merge reply comment]
08/02/2024 05:38 AM
Is it possible to test this to create in LDAP/AD directly from LDAP browser and see if such scenario is accepted by the AD itself.
If it doesn't work in AD then it will not work from Connector also.
08/02/2024 06:03 AM - edited 08/02/2024 06:04 AM
What is the base DN in connection?
Can you share logs