Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Not able to provision Manager attribute in Active Directory

manish97sh
New Contributor III
New Contributor III

We are trying to create accounts in Active Directory with below JSON:

${
Map attrs = new HashMap();

attrs.put('objectclass', ['top', 'person', 'organizationalPerson', 'user']);
if(null!=user.displayname){
attrs.put('displayname', user.displayname);
}
if(null!=user.lastname){
attrs.put('sn', (user.customproperty1 != null)?(user.customproperty1 + ' ' + user.lastname) : user.lastname);
}
if(null!=user.preferedFirstName){
attrs.put('givenName', user.preferedFirstName);
}
if(null!=user.systemUserName){
attrs.put('sAMAccountName', user.systemUserName);
}
if(null!=user.middlename){
attrs.put('middleName', user.middlename);
}
if(null!=user.jobDescription){
attrs.put('title', user.jobDescription);
}
if(null!=user.country){
attrs.put('co', user.country);
}
if(null!=user.customproperty3){
attrs.put('countryCode', user.customproperty3);
}
if(null!=user.street){
attrs.put('streetAddress', user.street);
}
if(null!=user.city){
attrs.put('l', user.city);
}
if(null!=user.state){
attrs.put('st', user.state);
}
if(null!=user.regioncode){
attrs.put('postalCode', user.regioncode);
}
if(null!=user.departmentname){
attrs.put('department', user.departmentname);
}
if(null!=user.customproperty4){
attrs.put('division', user.customproperty4);
}
if(null!=user.email){
attrs.put('userPrincipalName', user.email);
}
if(null!=user.customproperty31){
attrs.put('extensionAttribute2', user.customproperty31);
}
if(null!=user.customproperty2){
attrs.put('extensionAttribute15', user.customproperty2);
}
if(null!=user.siteid){
attrs.put('extensionAttribute3', user.siteid.substring(0,2).toString());
attrs.put('c', user.siteid.substring(0,2).toString());
}
if((user.region=='North America'&&user.customproperty5=='Office') || (user.region=='Europe') || (user.region=='SouthAmerica') || (user.region=='Africa')){
attrs.put('mail', user.email);
attrs.put('targetAddress', 'SMTP:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
attrs.put('mailNickname', user.systemUserName);
attrs.put('msExchRecipientDisplayType', '-2147483642');
attrs.put('msExchRecipientTypeDetails', '2147483648');
attrs.put('msExchRemoteRecipientType', '1');
attrs.put('proxyAddresses', 'SMTP:'+user.email+',smtp:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
}
if(null!=user.customproperty5){
attrs.put('msExchExtensionAttribute16', user.customproperty5);
}
if(user.employeeType=='Employee'||user.employeeType=='Student'){
attrs.put('employeeType', 'Employee');
}else if(user.employeeType!='Third Party'){
attrs.put('employeeType', 'External');
}
if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager',managerAccount.comments);
}
if(user.employeeType=='Third Party'){
attrs.put('physicalDeliveryOfficeName', 'EXTERNAL');
}else if(null!=user.customproperty31){
attrs.put('physicalDeliveryOfficeName', user.customproperty31.substring(0,5).toString());
}
attrs.put('accountExpires', user.enddate == null? '9223372036854775807' : (10000*(user.enddate.getTime() + 11644473600000)).toString());
attrs.put('userAccountControl', '514');
attrs.put('iTSMID', 'ARD.' + user.systemUserName);
attrs.put('iTSMLicense', 'READ');

jsonBuilder = new groovy.json.JsonBuilder(attrs);
return jsonBuilder.toString();
}

Below is the Account Attribute JSON for your reference:

[
ACCOUNTID::objectGUID#Binary,
ACCOUNTCLASS::objectClass#String,
COMMENTS::distinguishedName#String,
CREATED_ON::whenCreated#date,
DISPLAYNAME::displayName#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
NAME::sAMAccountName#String,
UPDATEDATE::whenChanged#date,
LASTLOGONDATE::lastLogon#millisec,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY1::mail#String,
CUSTOMPROPERTY2::cn#String,
CUSTOMPROPERTY3::givenName#String,
CUSTOMPROPERTY4::middleName#String,
CUSTOMPROPERTY5::sn#String,
CUSTOMPROPERTY6::title#String,
CUSTOMPROPERTY7::employeeType#String,
CUSTOMPROPERTY8::manager#String,
CUSTOMPROPERTY9::co#String,
CUSTOMPROPERTY10::countryCode#String,
CUSTOMPROPERTY11::streetAddress#String,
CUSTOMPROPERTY12::l#String,
CUSTOMPROPERTY13::st#String,
CUSTOMPROPERTY14::postalCode#String,
CUSTOMPROPERTY15::company#String,
CUSTOMPROPERTY16::department#String,
CUSTOMPROPERTY17::division#String,
CUSTOMPROPERTY21::userPrincipalName#String,
CUSTOMPROPERTY22::userAccountControl#String,
CUSTOMPROPERTY23::targetAddress#String,
CUSTOMPROPERTY24::mailNickname#String,
CUSTOMPROPERTY25::msExchRecipientDisplayType#String,
CUSTOMPROPERTY26::msExchRecipientTypeDetails#String,
CUSTOMPROPERTY27::msExchRemoteRecipientType#String,
CUSTOMPROPERTY29::iTSMID#String,
CUSTOMPROPERTY30::iTSMLicense#String,
CUSTOMPROPERTY32::extensionAttribute1#String,
CUSTOMPROPERTY31::extensionAttribute2#String,
CUSTOMPROPERTY33::extensionAttribute6#String,
CUSTOMPROPERTY34::extensionAttribute3#String,
CUSTOMPROPERTY35::extensionAttribute4#String,
CUSTOMPROPERTY36::extensionAttribute5#String,
CUSTOMPROPERTY37::extensionAttribute7#String,
CUSTOMPROPERTY38::extensionAttribute8#String,
CUSTOMPROPERTY39::extensionAttribute9#String,
CUSTOMPROPERTY40::extensionAttribute10#String,
CUSTOMPROPERTY41::extensionAttribute11#String,
CUSTOMPROPERTY42::extensionAttribute12#String,
CUSTOMPROPERTY43::extensionAttribute13#String,
CUSTOMPROPERTY44::extensionAttribute14#String,
CUSTOMPROPERTY45::extensionAttribute15#String,
CUSTOMPROPERTY46::msExchExtensionAttribute16#String,
CUSTOMPROPERTY47::msExchExtensionAttribute17#String,
CUSTOMPROPERTY48::msExchExtensionAttribute18#String,
CUSTOMPROPERTY49::msExchExtensionAttribute19#String,
CUSTOMPROPERTY50::msExchExtensionAttribute20#String,
CUSTOMPROPERTY51::proxyAddresses#String,
CUSTOMPROPERTY57::c#String,
CUSTOMPROPERTY58::physicalDeliveryOfficeName#String,
RECONCILATION_FIELD::ACCOUNTID
]

If we are trying to create an account in AD with manager (who does not have account in AD), then it is successfully creating account in AD but when we are passing Manager (having valid AD account), then it is throwing error and not letting us to create accounts in AD.

We tried multiple combinations as defined below:

CASE 1 : attrs.put('manager',managerAccount.accountID);

Getting below error

2024-01-21T15:05:44+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-tqw9s-ERROR-Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--]
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)

CASE 2 : attrs.put('manager',managerAccount.comments);

Getting below error

LDAP: error code 34 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0

Also in CASE 2, if Manager DN is as "CN=ABC\, DEF,OU=Users,OU=ABCD,OU=ABCD,OU=Testing,DC=Testing,DC=Test", then in provisioning Saviynt is appending one more backslash as ""CN=ABC\\, DEF,OU=Users,OU=ABCD,OU=ABCD,OU=Testing,DC=Testing,DC=Test" and trying to provision this and then throwing error as "Error in conversion attribute"

If Manager is having 2 backslash in DN then saviynt is appending 4 backslash and trying to provision it.

We tried with comments.replace() as well but in that case also getting error as "LDAP: error code 34 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0,"

If somehow we managed to remove all backslash from Manager DN then it is giving error as 
2024-01-21T15:05:44+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-tqw9s-ERROR-Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--]
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000020B5: AtrErr: DSID-03153438, #1:
2024-01-21T15:05:44+05:30-ecm-worker--null-tqw9s--0: 000020B5: DSID-03153438, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)

5 REPLIES 5

rushikeshvartak
All-Star
All-Star

${
Map attrs = new HashMap();

attrs.put('objectclass', ['top', 'person', 'organizationalPerson', 'user']);
if(null!=user.displayname){
attrs.put('displayname', user.displayname);
}
if(null!=user.lastname){
attrs.put('sn', (user.customproperty1 != null)?(user.customproperty1 + ' ' + user.lastname) : user.lastname);
}
if(null!=user.preferedFirstName){
attrs.put('givenName', user.preferedFirstName);
}
if(null!=user.systemUserName){
attrs.put('sAMAccountName', user.systemUserName);
}
if(null!=user.middlename){
attrs.put('middleName', user.middlename);
}
if(null!=user.jobDescription){
attrs.put('title', user.jobDescription);
}
if(null!=user.country){
attrs.put('co', user.country);
}
if(null!=user.customproperty3){
attrs.put('countryCode', user.customproperty3);
}
if(null!=user.street){
attrs.put('streetAddress', user.street);
}
if(null!=user.city){
attrs.put('l', user.city);
}
if(null!=user.state){
attrs.put('st', user.state);
}
if(null!=user.regioncode){
attrs.put('postalCode', user.regioncode);
}
if(null!=user.departmentname){
attrs.put('department', user.departmentname);
}
if(null!=user.customproperty4){
attrs.put('division', user.customproperty4);
}
if(null!=user.email){
attrs.put('userPrincipalName', user.email);
}
if(null!=user.customproperty31){
attrs.put('extensionAttribute2', user.customproperty31);
}
if(null!=user.customproperty2){
attrs.put('extensionAttribute15', user.customproperty2);
}
if(null!=user.siteid){
attrs.put('extensionAttribute3', user.siteid.substring(0,2).toString());
attrs.put('c', user.siteid.substring(0,2).toString());
}
if((user.region=='North America'&&user.customproperty5=='Office') || (user.region=='Europe') || (user.region=='SouthAmerica') || (user.region=='Africa')){
attrs.put('mail', user.email);
attrs.put('targetAddress', 'SMTP:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
attrs.put('mailNickname', user.systemUserName);
attrs.put('msExchRecipientDisplayType', '-2147483642');
attrs.put('msExchRecipientTypeDetails', '2147483648');
attrs.put('msExchRemoteRecipientType', '1');
attrs.put('proxyAddresses', 'SMTP:'+user.email+',smtp:'+user.systemUserName+'@abcdef.mail.onmicrosoft.com');
}
if(null!=user.customproperty5){
attrs.put('msExchExtensionAttribute16', user.customproperty5);
}
if(user.employeeType=='Employee'||user.employeeType=='Student'){
attrs.put('employeeType', 'Employee');
}else if(user.employeeType!='Third Party'){
attrs.put('employeeType', 'External');
}
if(null!=user.manager && null!=managerAccount)
{
attrs.put('manager',managerAccount?.comments?.replace('\\', '\\\\')?.replace('/', '\\/'));
}
if(user.employeeType=='Third Party'){
attrs.put('physicalDeliveryOfficeName', 'EXTERNAL');
}else if(null!=user.customproperty31){
attrs.put('physicalDeliveryOfficeName', user.customproperty31.substring(0,5).toString());
}
attrs.put('accountExpires', user.enddate == null? '9223372036854775807' : (10000*(user.enddate.getTime() + 11644473600000)).toString());
attrs.put('userAccountControl', '514');
attrs.put('iTSMID', 'ARD.' + user.systemUserName);
attrs.put('iTSMLicense', 'READ');

jsonBuilder = new groovy.json.JsonBuilder(attrs);
return jsonBuilder.toString();
}

 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Hi @manish97sh 

Please refer below post for similar use cases to escape slashes.

How to escape slash in AD distinguishedName to fix... - Saviynt Forums - 29735

Regards,

Dhruv Sharma

Hi @rushikeshvartak / @Dhruv_S ,

I tried with script suggested by you but i am still getting same error.

 

Please find logs below for your reference:

2024-01-29T15:30:33+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-cz59k-ERROR-Error while creating account in AD - CN=Account\, INC India Ltd.,OU=External Accounts,OU=Corp OUs,OU=AGIGATesting,DC=sus-test,DC=com: [LDAP: error code 34 - 00000057: LdapErr: DSID-0C091372, comment: Error in attribute conversion operation, data 0, v4563]
 
2024-01-29T15:30:34+05:30-ecm-worker--null-cz59k--javax.naming.InvalidNameException: CN=Account\, INC India Ltd.,OU=External Accounts,OU=Corp OUs,OU=AGIGATesting,DC=sus-test,DC=com: [LDAP: error code 34 - 00000057: LdapErr: DSID-0C091372, comment: Error in attribute conversion operation, data 0, v4563]; remaining name 'CN=Account\, INC India Ltd.,OU=External Accounts,OU=Corp OUs,OU=AGIGATesting,DC=sus-test,DC=com' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3200) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2998) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:840) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197) at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure2.doCall(SaviyntGroovyLdapService.groovy:834) at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:246) at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:11742) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure50.doCall(ArsTaskHelperService.groovy:3075) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:3066) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:175) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)

2024-01-29T15:30:33+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-cz59k-DEBUG-Creating Account dn-CN=Account\, INC India Ltd.,OU=External Accounts,OU=Corp OUs,OU=AGIGATesting,DC=sus-test,DC=com Datamap--[physicalDeliveryOfficeName:EXTERNAL, manager:CN=Cruz\\\\, Abby,OU=Users,OU=GBKNO,OU=EMEA,OU=AGIGATesting,DC=sus-test,DC=com, sAMAccountName:ext-accounta, accountExpires:133519968000000000, iTSMLicense:READ, givenName:AD_Test, UnicodePwd:****, co:Austria, objectclass:[top, person, organizationalPerson, user], iTSMID:ARD.ext-accounta, displayname:Account, INC India Ltd., sn:Account, userAccountControl:514, userPrincipalName:ad_test.account-ext@sus-test.com]

Saviynt is still appending 4 backslashes in Manager DN.

Hi @manish97sh 

Please try with below syntax as per the documentation.

You can retain the backslash character (\) in the distinguishedName (DN) attribute of a manager while provisioning to the
target application, using the following syntax in the manager attribute:
${managerAccount.accountID.replace('\', '###UNESCAPEBACKSLASH###')}

Regards,

Dhruv Sharma

manish97sh
New Contributor III
New Contributor III

Hi @Dhruv_S @rushikeshvartak 

Its working fine with below JSON:
attrs.put('manager', managerAccount.comments.replace('\\', '###UNESCAPEBACKSLASH###'));

 

Thanks