Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Unique CNs for Users

WEG
New Contributor
New Contributor

We have a requirement for unique user CNs as accounts can change OUs based upon their relationship to the organization (temp, contractor, employee,...).  How do we check for existing new user CNs in AD and append a numeric suffix if it already exists?

 

Thank you

2 REPLIES 2

rushikeshvartak
All-Star
All-Star

https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter04-Application-Management-...

https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g...

 

 

HECKFORUNIQUE

Specify this parameter if you want to evaluate the uniqueness of an attribute in the Active Directory domain before it is provisioned. The attribute is evaluated for all provisioning operations and the associated changes are made to it to make it unique. To use this parameter, specify the attributes that you want to check in Active Directory for the unique constraint of rules separated by ###.

Example:

{
"userPrincipalName": "${user.firstname}.${user.lastname}@<specify company name>com###${user.firstname}.${user.lastname}1@<specify company name>.com" , "cn":"${user.lastname}
, ${user.firstname} (Global-V) [${user.username}]###${user.lastname}
, ${user.firstname} (Global-V) [${user.username}1]","name":"${user.username}###${user.username}1###${user.username}2###${user.username}3"
}

 

 

 

-


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

 

Thank you @rushikeshvartak

This is still an issue. I updated CHECKFORUNIQUE to:
{"cn":"${user.firstname} ${user.lastname}###${user.firstname} ${user.lastname}1###${user.firstname} ${user.lastname}2###${user.firstname} ${user.lastname}3###
${user.firstname} ${user.lastname}4###${user.firstname} ${user.lastname}5###${user.firstname} ${user.lastname}6"}

Here's the ACCOUNTNAMERULE:
${if(user.employeeType == 'EMPLOYEE') {
'CN='+user.firstname+' '+user.lastname+',OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'3,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'4,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'5,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'6,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET'
}
else {
'CN='+user.firstname+' '+user.lastname+',OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'2,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'3,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'4,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'5,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'+'###'+
'CN='+user.firstname+' '+user.lastname+'6,OU=Contractors,OU=Test Users,OU=Users,DC=TEST,DC=NET'
}}

CN 'Jack Sparrow' already exists in Employees OU
CN 'Jack Sparrow2' exists in Contractors OU

We're receiving this error trying to provision: 
Checking DN for CN=Jack Sparrow,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Checking DN for CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Not FOund DN for CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET.
Error while creating account in AD - CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET:
[LDAP: error code 34 - 00002081: NameErr: DSID-03050F42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
'CN=Jack Sparrow2,OU=Employees,OU=Test Users,OU=Users,DC=TEST,DC=NET' ]

LDAP error aside, we still need to first check the CN for uniqueness and then append the appropriate OU.

I appreciate any help you can offer.

WEG