We are connected to OUD and where group assignment is based on isMemberOf (Account Level) and UniqueMember(Group level) attributes.
We reconciled all LDAP groups to Saviynt on entitlement type isMemberOf, when we are trying to provision group access, it fails. provisioning comment is given below.
Error while ADD operation for account-smurfaccount to Group-cn=ABC,ou=Groups,dc=xyzcompany,dc=com in AD - [LDAP: error code 65 - Entry uid=smurfaccount,ou=people,dc=xyzcompany,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry uid=smurfaccount,ou=people,dc=xyzcompany,dc=com violates the Directory Server schema configuration because it includes attribute which is not allowed by any of the objectclasses defined in that entry]
does the connector lookup only for member attribute by default or it checks uniqueMember too for access assignment ?
Solved! Go to Solution.
The missing configurations can cause this error and these are required for addition/removal of access on LDAP targets. please try below steps and see if it helps in resolving your issue.
Steps for Solution:
1) Validate Connection Configuration at the Endpoint
The connection configuration attribute at the endpoint must have the following configuration setup.
<conf><ADDUSERTOENT>True</ ADDUSERTOENT> <ADDMEMBERTOENT>True</ADDMEMBERTOENT></conf>
2. Validate customproperty2 of the entitlement type
The customproperty2 of the entitlement type must be set to the attribute which holds the membership in the LDAP target system in the groups. For example – in Active Directory, groups store the membership in the member attribute of the groups, similarly Open-DJ Directory groups stores the membership in the uniqueMember attribute.
3. Re-run the Provisioning Job – WSRetry and validate if the task is completed successfully.
Thanks & Kind Regards,