Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Unable to pass Manager and AccountExpires attributes to AD

Mohit_Sanka
New Contributor III
New Contributor III

Hi Team,

We are unable to pass the Manager and Account expires attributes to AD and below is the JSON we tried 

{
"accountExpires": "${user.enddate != null ? (new Date(user.enddate).getTime() * 10000) + 116444736000000000 : 0}",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"employeenumber":"${user.employeeID==null?'':user.employeeID}",
"userPrincipalName": "${user.email}",
"name": "${user.username}",
"objectClass": ["top","person","organizationalPerson","user"],
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"st": "${user.customproperty10}",
"streetAddress": "${user.street}",
"manager": "${managerAccount.comments}",
"title": "${user.JOB_FUNCTION}",
"description": "${'Created by Saviynt on ' + new Date().format('yyyy-MM-dd')}",
"extensionAttribute3": "${user.customproperty14}",
"userAccountControl": "512"
}

We are trying to pass the Enddate of the user to accountExpires and manager's DN was stored in comments and CP28 of the account. Below is the error we are getting while trying to process the task.

Error for Manager attribute:

Checking DN for CN=lkrshukla,OU=Users,OU=SaviyntOU1,OU=Test,DC=hlm,DC=ssc,DC=lan.Not FOund DN for CN=lkrshukla,OU=Users,OU=SaviyntOU1,OU=Test,DC=hlm,DC=ssc,DC=lan. Error while creating account in AD - [LDAP: error code 19 - 000020B5: AtrErr: DSID-031533C8, #1: 0: 000020B5: DSID-031533C8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager) ]

Binding Map in Logs:
CreateAccount - Binding map is..[ServiceAccountOwnerMap:[:], endpointsObj:Active Directory, entitlementValuesObj:null, manager:ssganguly, usersObj:lkrshukla, randomPassword:****, usersManagerObj:ssganguly, managerAccount:ssganguly, userAttributesMap:[:], password:****, task:com.saviynt.ecm.task.ArsTasks : 80, requestAccessAttributes:[:], user:lkrshukla, account:lkrshukla, arstasksObj:com.saviynt.ecm.task.ArsTasks : 80, accountsObj:[name:lkrshukla]]

 

Error for AccountExpires:

Checking DN for CN=lkrshukla,OU=Users,OU=SaviyntOU1,OU=Test,DC=hlm,DC=ssc,DC=lan.Not FOund DN for CN=lkrshukla,OU=Users,OU=SaviyntOU1,OU=Test,DC=hlm,DC=ssc,DC=lan. Error while creating account in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C0911AD, comment: Error in attribute conversion operation, data 0, v3839]

11 REPLIES 11

NM
Honored Contributor III
Honored Contributor III

Hi @Mohit_Sanka , manager attribute of AD requires DN value

Use managerAccount.customproperty37

*Do confirm the customproperty*

Account expire instead of user try sending blank/empty value like this ''


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

Mohit_Sanka
New Contributor III
New Contributor III

Hi @NM ,

I did tried passing the customproperty like CP28 which has the DN value same like Comments. but still getting the same error.
For Account expire we are not getting any error if we are passing 0 as the value.

@Mohit_Sanka To troubleshoot the issue try below JSON and share the logs

{
"accountExpires": "0",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"employeenumber":"${user.employeeID==null?'':user.employeeID}",
"userPrincipalName": "${user.email}",
"name": "${user.username}",
"objectClass": ["top","person","organizationalPerson","user"],
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"st": "${user.customproperty10}",
"streetAddress": "${user.street}",

"manager":"${managerAccount==null?'':managerAccount.comments}",
"title": "${user.job_function}",
"description": "${'Created by Saviynt on ' + new Date().format('yyyy-MM-dd')}",
"extensionAttribute3": "${user.customproperty14}",
"userAccountControl": "512"
}

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

Hi @SumathiSomala ,

 

We did tried to pass the manager details with null check but it still failed. Logs are attached below.

 

Regards,

Mohit.

"manager":"${managerAccount?.accountID}"


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor III
Honored Contributor III

@Mohit_Sanka can you share logs after running prov job?

Also if you try passing account expire field without manager field in json.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

Bwagne
New Contributor III
New Contributor III

I am also trying to set accountexpires and verified that this works for me in the updateaccountjson:
"accountExpires": "${if(user.enddate != null){10000*(user.enddate.getTime() + 11644646400000)} else {'0'}}",

This is what we use for manager:
"manager": "${managerAccount.accountID !=null?(managerAccount.accountID):''}",

I found it in this SAV document: https://docs.saviyntcloud.com/bundle/ADSI-v2021x/page/Content/Troubleshooting.htm
But it was off by 2 days so I adjusted the offset millisecs at the end and now it assigns the date that's set in end date.

What is not working 

?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Mohit_Sanka
New Contributor III
New Contributor III

Hi All,

It is working now and we are able to pass Manager and Account expires details to AD. The issue was with a different attributes which were causing issue and throwing an error to pass Manager or other attributes.

We are able to fix post some analysis on the attribute mapping.

 

Thanks & Regards,
Mohit Srinath Sanka.

Please share working JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Please find the working JSON

{
"accountExpires": "${user.enddate == null? '9223372036854775807' : (10000*(user.enddate.getTime() + 11644473600000)).toString()}",
"cn": "${cn}",
"co": "${user.country==null?'':user.country}",
"department": "${user.departmentname==null?'':user.departmentname}",
"displayname": "${user.displayname==null?'':user.displayname}",
"employeetype": "${user.employeeType==null?'':user.employeeType}",
"givenName": "${user.firstname==null?'':user.firstname}",
"mail": "${user.email==null?'':user.email}",
"name": "${user.username==null?'':user.username}",
"objectClass": ["top","person","organizationalPerson","user"],
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname==null?'':user.lastname}",
"userAccountControl": "512",
"manager": "${managerAccount==null?'':managerAccount.customproperty28}",
"employeenumber": "${user.employeeid==null?'':user.employeeid}",
"description": "${'Created by Saviynt on ' + new Date().format('yyyy-MM-dd')}",
"userPrincipalName": "${user.email==null?'':user.email}",
"extensionAttribute3": "${user.customproperty14==null?'':user.customproperty14}",
"title": "${user.job_function==null?'':user.job_function}"
}