Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Unable to create AD account

sairamya15
New Contributor III
New Contributor III

Hi All,

Our source of truth is AD and we are creating users from Saviynt. While creating AD account from ARS, we are encounter below error in provisioning comments.

Provided jsons below, Kindly guide.

User Attribute Mapping

[DISPLAYNAME::displayName#String,
COMPANYNAME::company#String,
lastname::sn#String,
firstname::givenName#String,
TITLE::title#String,
PHONENUMBER::telephoneNumber#String,
COUNTRY::c#String,
ENDDATE::accountExpires#millisec,
location::physicalDeliveryOfficeName#String,
employeetype::extensionAttribute2#String,
STREET::streetAddress#String,
DEPARTMENTNAME::department#String,
username::sAMAccountName#String,
owner::manager#String,
CREATEDATE::whenCreated#date,
employeeid::employeeID#String,
email::mail#String,
State::st#String,
City::l#String,
COMMENTS::distinguishedName#String,
CUSTOMPROPERTY26::objectGUID#Binary,
CUSTOMPROPERTY25::ipPhone#string,
CUSTOMPROPERTY40::distinguishedName#String,
statuskey::userAccountControl#number]

 
Create Account json
-------------------
{
"accountExpires": "0",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeeID": "${user.employeeid}",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"userPrincipalName": "${user.email}",
"name": "${user.displayname}",
"objectClass": ["top", "person", "organizationalPerson", "user"],
"physicaldeliveryofficename": "${user.location}",
"manager": "${managerAccount.accountID}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"title": "${user.title}",
"st": "${user.state}",
"streetAddress": "${user.street}",
"userAccountControl": "${ (user.startdate <= new Date()) ? '512' : '514'}",
"pwdLastSet": "0"
}
 
Account Name Rule
CN=${user.firstname} ${user.lastname},OU=Saviynt_Test,OU=Test Users,OU=Tester Users,DC=TEST,DC=LOCAL
 
Provisioning comments
 
Checking DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXX Users,DC=XXX,DC=LOCAL.Not FOund DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL. Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-031533C8, #1: 0: 000020B5: DSID-031533C8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager) ]Checking DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL.Not FOund DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL. Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-031533C8, #1: 0: 000020B5: DSID-031533C8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager) ]Checking DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=Tester Users,DC=Test,DC=LOCAL.Not FOund DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL. Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-031533C8, #1: 0: 000020B5: DSID-031533C8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager) ]Checking DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL.Not FOund DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL. Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-031533C8, #1: 0: 000020B5: DSID-031533C8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager) ]
 
10 REPLIES 10

smitg
Regular Contributor III
Regular Contributor III

Hi @sairamya15 ,

Does user's manager has Active AD account?

Thanks,
Smitha

sairamya15
New Contributor III
New Contributor III

@smitg

Yes 

armaanzahir
Valued Contributor
Valued Contributor

Hi @sairamya15 ,

The problem seems to be with the manager attribute population.

Can you share the Account_attribute paramter? 

What is the accountid on IGA's account profile mapped to on the target AD?

 

In short, you need to make sure that you pass a valid DN value to the manager attribute on AD.

 

"manager": "${managerAccount.accountID}",
 
In case of the above mapping, you need to make sure that the manager has a valid account of AD on IGA and the account id field of his account profile contains his DistinguishedName. 
 
Regards,
Md Armaan Zahir

Hi @armaanzahir 

below is the ACCOUNT_ATTRIBUTE json

[customproperty1::cn#String,customproperty30::userAccountControl#String,customproperty2::userPrincipalName#String,customproperty28::primaryGroupID#String,lastlogondate::lastLogon#millisec,displayname::name#String,customproperty25::company#String,customproperty20::employeeID#String,customproperty3::sn#String,comments::distinguishedName#String,customproperty4::homeDirectory#String,lastpasswordchange::pwdLastSet#millisec,customproperty5::co#String,customproperty6::employeeNumber#String,customproperty7::givenName#String,customproperty8::title#String,customproperty9::telephoneNumber#String,customproperty10::c#String,description::description#String,customproperty11::uSNCreated#String,validthrough::accountExpires#millisec,customproperty12::logonCount#String,customproperty13::physicalDeliveryOfficeName#String,updatedate::whenChanged#date,customproperty14::extensionAttribute1#String,customproperty15::extensionAttribute2#String,customproperty16::streetAddress#String,customproperty17::mailNickname#String,customproperty18::department#String,customproperty19::countryCode#String,name::sAMAccountName#String,customproperty21::manager#String,customproperty22::homePhone#String,customproperty23::mobile#String,created_on::whenCreated#date,accountclass::objectClass#String,accountid::objectGUID#Binary,customproperty24::userAccountControl#String,customproperty27::objectSid#Binary,RECONCILATION_FIELD::customproperty26,customproperty26::objectGUID#Binary,customproperty29::st#String]

There's the catch. The accountid is mapped to the ObjectGuid  which is not the manager's DN. The comments field of the account bears the DN of the account.

use the mapping in your createaccountjson:

"manager": "${managerAccount.comments}"
 
Regards,
Md Armaan Zahir

sairamya15
New Contributor III
New Contributor III

Hi @armaanzahir 

We are observing below error in provisioning comments

Checking DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXX Users,DC=XXXX,DC=LOCAL.Not FOund DN for CN=asc test01,OU=Saviynt_Test,OU=Test Users,OU=XXXXUsers,DC=XXXX,DC=LOCAL. Error while creating account in AD - [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A126A, problem 5003 (WILL_NOT_PERFORM), data 0 ]
 

smitg
Regular Contributor III
Regular Contributor III

I have observed this error when user's manager dont have AD account. If you have access to AD, check if you are able to search the manager with DN value= managerAccount.comments. 

Thanks,
Smitha

This error is happening because of either inaccurate useraccountcontrol or ssl connection or password not being sent.

  • Make sure the connection is SSL (URL is ldaps and port 636) in order to create a profile with useraccountcontrol 512 
  • In order to create profile with useraccountcontrol 512 (which means an active and password enabled account), we need to send the password on creation and for that you need to set up the below attributes in the connection.
    armaanzahir_0-1692259993207.png

Can you verify the above details and check which one might be missing.

UserAccountControl values  

 

Regards,
Md Armaan Zahir

sairamya15
New Contributor III
New Contributor III

Hi @smitg,

I changed the accountid::manager#string and given "manager": "${managerAccount.accountID}", in create account JSon .

Can the error be due to password 

@sairamya15  - Accountid should be ideally mapped to the objectguid in the account profile. Please make changes to the createaccountjson mapping instead of the accountid mapping and use ${managerAccount.coments}

Regards,
Md Armaan Zahir