Saviynt Forums

WEG · ‎01/11/2023

We have a requirement for unique user CNs as accounts can change OUs based upon their relationship to the organization (temp, contractor, employee,...). How do we check for existing new user CNs in AD and append a numeric suffix if it already exists?

Thank you

rushikeshvartak · ‎01/11/2023

https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter04-Application-Management-...

https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g...

HECKFORUNIQUE

Specify this parameter if you want to evaluate the uniqueness of an attribute in the Active Directory domain before it is provisioned. The attribute is evaluated for all provisioning operations and the associated changes are made to it to make it unique. To use this parameter, specify the attributes that you want to check in Active Directory for the unique constraint of rules separated by ###.

Example:

{
"userPrincipalName": "${user.firstname}.${user.lastname}@<specify company name>com###${user.firstname}.${user.lastname}1@<specify company name>.com" , "cn":"${user.lastname}
, ${user.firstname} (Global-V) [${user.username}]###${user.lastname}
, ${user.firstname} (Global-V) [${user.username}1]","name":"${user.username}###${user.username}1###${user.username}2###${user.username}3"
}

-

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

WEG · ‎01/13/2023

Thank you @rushikeshvartak.

This is still an issue. I updated CHECKFORUNIQUE to:
{"cn":"${user.firstname} ${user.lastname}###${user.firstname} ${user.lastname}1###${user.firstname} ${user.lastname}2###${user.firstname} ${user.lastname}3###
${user.firstname} ${user.lastname}4###${user.firstname} ${user.lastname}5###${user.firstname} ${user.lastname}6"}

Here's the ACCOUNTNAMERULE:
${if(user.employeeType == 'EMPLOYEE') {
'CN='+user.firstname+' '+user.lastname+',OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'3,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'4,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'5,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'6,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'
}
else {
'CN='+user.firstname+' '+user.lastname+',OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'2,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'3,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'4,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'5,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'6,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'
}}

CN 'Jack Sparrow' already exists in Employees OU
CN 'Jack Sparrow2' exists in Contractors OU

We're receiving this error trying to provision:
Checking DN for CN=Jack Sparrow,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Checking DN for CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Not FOund DN for CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Error while creating account in AD - CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET:
[LDAP: error code 34 - 00002081: NameErr: DSID-03050F42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
'CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET' ]

LDAP error aside, we still need to first check the CN for uniqueness and then append the appropriate OU.

I appreciate any help you can offer.

WEG

Saviynt Forums

Unique CNs for Users