Use Case
In AD connection we have an option to create child endpoints based on groups by mentioning the mapping in Endpoint Filters. However these child endpoints do not have any practical existence in target and are just a representation in SSM UI. - Problem Statement/ Error Observed : During one click disable, SSM will create deprovisioning tasks for parent AD account and entitlements along with separate task for child account and entitlement removal. The account name and the entitlement name in child account will be same to the account name and atleast one of the entitlements in parent. On running the provisioning job, firstly account removal for parent endpoint AD gets executed and it Suspends the account. Now when second removal task for child tries to execute, it fails to find one active account in target with that name, as in target it is again only one account which already got removed just now. Hence it errors out and child task never gets completed.
- Error in the logs : 2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] DEBUG ldap.SaviyntGroovyLdapService - Number of Distinct Ent Types for this User = 0
2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] DEBUG ldap.SaviyntGroovyLdapService - Number Distinct Ent Values for this User = 0
2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] ERROR ldap.SaviyntGroovyLdapService - Error Deleting/Disablng the Account from AD - Cannot invoke method contains() on null object
Pre-requisites
Role_admin access
Applicable Version(s)
All versions
Solution
To overcome this situation, we have to make the below changes at endpoint level for individual child endpoints.