Click HERE to see how Saviynt Intelligence is transforming the industry. |
01/24/2024 11:59 PM - edited 01/25/2024 03:25 AM
We are trying to create accounts in Active Directory with below JSON:
${
Map attrs = new HashMap();
attrs.put('objectclass', ['top', 'person', 'organizationalPerson', 'user']);
if(null!=user.displayname){
attrs.put('displayname', user.displayname);
}
if(null!=user.lastname){
attrs.put('sn', (user.customproperty1 != null)?(user.customproperty1 + ' ' + user.lastname) : user.lastname);
}
if(null!=user.preferedFirstName){
attrs.put('givenName', user.preferedFirstName);
}
if(null!=user.systemUserName){
attrs.put('sAMAccountName', user.systemUserName);
}
if(null!=user.middlename){
attrs.put('middleName', user.middlename);
}
if(null!=user.jobDescription){
attrs.put('title', user.jobDescription);
}
if(null!=user.country){
attrs.put('co', user.country);
}
if(null!=user.customproperty3){
attrs.put('countryCode', user.customproperty3);
}
if(null!=user.street){
attrs.put('streetAddress', user.street);
}
if(null!=user.city){
attrs.put('l', user.city);
}
if(null!=user.state){
attrs.put('st', user.state);
}
if(null!=user.regioncode){
attrs.put('postalCode', user.regioncode);
}
if(null!=user.departmentname){
attrs.put('department', user.departmentname);
}
if(null!=user.customproperty4){
attrs.put('division', user.customproperty4);
}
if(null!=user.email){
attrs.put('userPrincipalName', user.email);
}
if(null!=user.customproperty31){
attrs.put('extensionAttribute2', user.customproperty31);
}
if(null!=user.customproperty2){
attrs.put('extensionAttribute15', user.customproperty2);
}
if(null!=user.siteid){
attrs.put('extensionAttribute3', user.siteid.substring(0,2).toString());
attrs.put('c', user.siteid.substring(0,2).toString());
}
if((user.region=='North America'&&user.customproperty5=='Office') || (user.region=='Europe') || (user.region=='SouthAmerica') || (user.region=='Africa')){
attrs.put('mail', user.email);
attrs.put('targetAddress', 'SMTP:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
attrs.put('mailNickname', user.systemUserName);
attrs.put('msExchRecipientDisplayType', '-2147483642');
attrs.put('msExchRecipientTypeDetails', '2147483648');
attrs.put('msExchRemoteRecipientType', '1');
attrs.put('proxyAddresses', 'SMTP:'+user.email+',smtp:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
}
if(null!=user.customproperty5){
attrs.put('msExchExtensionAttribute16', user.customproperty5);
}
if(user.employeeType=='Employee'||user.employeeType=='Student'){
attrs.put('employeeType', 'Employee');
}else if(user.employeeType!='Third Party'){
attrs.put('employeeType', 'External');
}
if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager',managerAccount.comments);
}
if(user.employeeType=='Third Party'){
attrs.put('physicalDeliveryOfficeName', 'EXTERNAL');
}else if(null!=user.customproperty31){
attrs.put('physicalDeliveryOfficeName', user.customproperty31.substring(0,5).toString());
}
attrs.put('accountExpires', user.enddate == null? '9223372036854775807' : (10000*(user.enddate.getTime() + 11644473600000)).toString());
attrs.put('userAccountControl', '514');
attrs.put('iTSMID', 'ARD.' + user.systemUserName);
attrs.put('iTSMLicense', 'READ');
jsonBuilder = new groovy.json.JsonBuilder(attrs);
return jsonBuilder.toString();
}
Below is the Account Attribute JSON for your reference:
[
ACCOUNTID::objectGUID#Binary,
ACCOUNTCLASS::objectClass#String,
COMMENTS::distinguishedName#String,
CREATED_ON::whenCreated#date,
DISPLAYNAME::displayName#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
NAME::sAMAccountName#String,
UPDATEDATE::whenChanged#date,
LASTLOGONDATE::lastLogon#millisec,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY1::mail#String,
CUSTOMPROPERTY2::cn#String,
CUSTOMPROPERTY3::givenName#String,
CUSTOMPROPERTY4::middleName#String,
CUSTOMPROPERTY5::sn#String,
CUSTOMPROPERTY6::title#String,
CUSTOMPROPERTY7::employeeType#String,
CUSTOMPROPERTY8::manager#String,
CUSTOMPROPERTY9::co#String,
CUSTOMPROPERTY10::countryCode#String,
CUSTOMPROPERTY11::streetAddress#String,
CUSTOMPROPERTY12::l#String,
CUSTOMPROPERTY13::st#String,
CUSTOMPROPERTY14::postalCode#String,
CUSTOMPROPERTY15::company#String,
CUSTOMPROPERTY16::department#String,
CUSTOMPROPERTY17::division#String,
CUSTOMPROPERTY21::userPrincipalName#String,
CUSTOMPROPERTY22::userAccountControl#String,
CUSTOMPROPERTY23::targetAddress#String,
CUSTOMPROPERTY24::mailNickname#String,
CUSTOMPROPERTY25::msExchRecipientDisplayType#String,
CUSTOMPROPERTY26::msExchRecipientTypeDetails#String,
CUSTOMPROPERTY27::msExchRemoteRecipientType#String,
CUSTOMPROPERTY29::iTSMID#String,
CUSTOMPROPERTY30::iTSMLicense#String,
CUSTOMPROPERTY32::extensionAttribute1#String,
CUSTOMPROPERTY31::extensionAttribute2#String,
CUSTOMPROPERTY33::extensionAttribute6#String,
CUSTOMPROPERTY34::extensionAttribute3#String,
CUSTOMPROPERTY35::extensionAttribute4#String,
CUSTOMPROPERTY36::extensionAttribute5#String,
CUSTOMPROPERTY37::extensionAttribute7#String,
CUSTOMPROPERTY38::extensionAttribute8#String,
CUSTOMPROPERTY39::extensionAttribute9#String,
CUSTOMPROPERTY40::extensionAttribute10#String,
CUSTOMPROPERTY41::extensionAttribute11#String,
CUSTOMPROPERTY42::extensionAttribute12#String,
CUSTOMPROPERTY43::extensionAttribute13#String,
CUSTOMPROPERTY44::extensionAttribute14#String,
CUSTOMPROPERTY45::extensionAttribute15#String,
CUSTOMPROPERTY46::msExchExtensionAttribute16#String,
CUSTOMPROPERTY47::msExchExtensionAttribute17#String,
CUSTOMPROPERTY48::msExchExtensionAttribute18#String,
CUSTOMPROPERTY49::msExchExtensionAttribute19#String,
CUSTOMPROPERTY50::msExchExtensionAttribute20#String,
CUSTOMPROPERTY51::proxyAddresses#String,
CUSTOMPROPERTY57::c#String,
CUSTOMPROPERTY58::physicalDeliveryOfficeName#String,
RECONCILATION_FIELD::ACCOUNTID
]
If we are trying to create an account in AD with manager (who does not have account in AD), then it is successfully creating account in AD but when we are passing Manager (having valid AD account), then it is throwing error and not letting us to create accounts in AD.
We tried multiple combinations as defined below:
CASE 1 : attrs.put('manager',managerAccount.accountID);
Getting below error
2024-01-21T15:05:44+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-tqw9s-ERROR-Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--]
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
CASE 2 : attrs.put('manager',managerAccount.comments);
Getting below error
LDAP: error code 34 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0
Also in CASE 2, if Manager DN is as "CN=ABC\, DEF,OU=Users,OU=ABCD,OU=ABCD,OU=Testing,DC=Testing,DC=Test", then in provisioning Saviynt is appending one more backslash as ""CN=ABC\\, DEF,OU=Users,OU=ABCD,OU=ABCD,OU=Testing,DC=Testing,DC=Test" and trying to provision this and then throwing error as "Error in conversion attribute"
If Manager is having 2 backslash in DN then saviynt is appending 4 backslash and trying to provision it.
We tried with comments.replace() as well but in that case also getting error as "LDAP: error code 34 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0,"
If somehow we managed to remove all backslash from Manager DN then it is giving error as
2024-01-21T15:05:44+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-tqw9s-ERROR-Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--]
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
Solved! Go to Solution.
01/25/2024 07:29 PM - edited 01/26/2024 06:09 AM
${
Map attrs = new HashMap();
attrs.put('objectclass', ['top', 'person', 'organizationalPerson', 'user']);
if(null!=user.displayname){
attrs.put('displayname', user.displayname);
}
if(null!=user.lastname){
attrs.put('sn', (user.customproperty1 != null)?(user.customproperty1 + ' ' + user.lastname) : user.lastname);
}
if(null!=user.preferedFirstName){
attrs.put('givenName', user.preferedFirstName);
}
if(null!=user.systemUserName){
attrs.put('sAMAccountName', user.systemUserName);
}
if(null!=user.middlename){
attrs.put('middleName', user.middlename);
}
if(null!=user.jobDescription){
attrs.put('title', user.jobDescription);
}
if(null!=user.country){
attrs.put('co', user.country);
}
if(null!=user.customproperty3){
attrs.put('countryCode', user.customproperty3);
}
if(null!=user.street){
attrs.put('streetAddress', user.street);
}
if(null!=user.city){
attrs.put('l', user.city);
}
if(null!=user.state){
attrs.put('st', user.state);
}
if(null!=user.regioncode){
attrs.put('postalCode', user.regioncode);
}
if(null!=user.departmentname){
attrs.put('department', user.departmentname);
}
if(null!=user.customproperty4){
attrs.put('division', user.customproperty4);
}
if(null!=user.email){
attrs.put('userPrincipalName', user.email);
}
if(null!=user.customproperty31){
attrs.put('extensionAttribute2', user.customproperty31);
}
if(null!=user.customproperty2){
attrs.put('extensionAttribute15', user.customproperty2);
}
if(null!=user.siteid){
attrs.put('extensionAttribute3', user.siteid.substring(0,2).toString());
attrs.put('c', user.siteid.substring(0,2).toString());
}
if((user.region=='North America'&&user.customproperty5=='Office') || (user.region=='Europe') || (user.region=='SouthAmerica') || (user.region=='Africa')){
attrs.put('mail', user.email);
attrs.put('targetAddress', 'SMTP:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
attrs.put('mailNickname', user.systemUserName);
attrs.put('msExchRecipientDisplayType', '-2147483642');
attrs.put('msExchRecipientTypeDetails', '2147483648');
attrs.put('msExchRemoteRecipientType', '1');
attrs.put('proxyAddresses', 'SMTP:'+user.email+',smtp:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
}
if(null!=user.customproperty5){
attrs.put('msExchExtensionAttribute16', user.customproperty5);
}
if(user.employeeType=='Employee'||user.employeeType=='Student'){
attrs.put('employeeType', 'Employee');
}else if(user.employeeType!='Third Party'){
attrs.put('employeeType', 'External');
}
if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager',managerAccount?.comments?.replace('\\', '\\\\')?.replace('/', '\\/'));
}
if(user.employeeType=='Third Party'){
attrs.put('physicalDeliveryOfficeName', 'EXTERNAL');
}else if(null!=user.customproperty31){
attrs.put('physicalDeliveryOfficeName', user.customproperty31.substring(0,5).toString());
}
attrs.put('accountExpires', user.enddate == null? '9223372036854775807' : (10000*(user.enddate.getTime() + 11644473600000)).toString());
attrs.put('userAccountControl', '514');
attrs.put('iTSMID', 'ARD.' + user.systemUserName);
attrs.put('iTSMLicense', 'READ');
jsonBuilder = new groovy.json.JsonBuilder(attrs);
return jsonBuilder.toString();
}
01/26/2024 05:36 AM
Hi @manish97sh
Please refer below post for similar use cases to escape slashes.
How to escape slash in AD distinguishedName to fix... - Saviynt Forums - 29735
Regards,
Dhruv Sharma
01/29/2024 02:08 AM
Hi @rushikeshvartak / @Dhruv_S ,
I tried with script suggested by you but i am still getting same error.
Please find logs below for your reference:
2024-01-29T15:30:33+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-cz59k-DEBUG-Creating Account dn-CN=Account\, INC India Ltd.,OU=External Accounts,OU=Corp OUs,OU=AGIGATesting,DC=sus-test,DC=com Datamap--[physicalDeliveryOfficeName:EXTERNAL, manager:CN=Cruz\\\\, Abby,OU=Users,OU=GBKNO,OU=EMEA,OU=AGIGATesting,DC=sus-test,DC=com, sAMAccountName:ext-accounta, accountExpires:133519968000000000, iTSMLicense:READ, givenName:AD_Test, UnicodePwd:****, co:Austria, objectclass:[top, person, organizationalPerson, user], iTSMID:ARD.ext-accounta, displayname:Account, INC India Ltd., sn:Account, userAccountControl:514, userPrincipalName:ad_test.account-ext@sus-test.com]
Saviynt is still appending 4 backslashes in Manager DN.
01/30/2024 12:29 AM
Hi @manish97sh
Please try with below syntax as per the documentation.
You can retain the backslash character (\) in the distinguishedName (DN) attribute of a manager while provisioning to the
target application, using the following syntax in the manager attribute:
${managerAccount.accountID.replace('\', '###UNESCAPEBACKSLASH###')}
Regards,
Dhruv Sharma
02/07/2024 12:55 AM
Hi @Dhruv_S @rushikeshvartak
Its working fine with below JSON:
attrs.put('manager', managerAccount.comments.replace('\\', '###UNESCAPEBACKSLASH###'));
Thanks