Click HERE to see how Saviynt Intelligence is transforming the industry. |
on 09/06/2023 07:51 PM
Target System: This is applicable for AD connector being used for LDAP target systems.
Applicable SSM versions: v5.4.0 and onwards
Error in the pending task:
Figure 1Pending task failing with LDAP error code 65
2020-12-19 11:35:21,126 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - External connection is :: OpenDJ-LDAP
2020-12-19 11:35:21,129 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - Connection is LDAP.. Setting to FALSE
2020-12-19 11:35:21,130 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - isadconnection = false
2020-12-19 11:35:21,130 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - Exit isADConnection
2020-12-19 11:35:21,144 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - LDAP addmap ::[:uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local,]
2020-12-19 11:35:21,144 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService - LDAP ADD loop
2020-12-19 11:35:21,434 [quartzScheduler_Worker-2] ERROR ldap.SaviyntGroovyLdapService - Exception
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local cannot be modified because the resulting entry would have violated the server schema: Entry commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local violates the Directory Server schema configuration because it includes attribute which is not allowed by any of the objectclasses defined in that entry]; remaining name 'commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2998)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1503)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at com.saviynt.ldap.SaviyntGroovyLdapService$_provisionAccessToAccountGLDAP_closure5.doCall(SaviyntGroovyLdapService.groovy:1212)
at com.saviynt.ldap.SaviyntGroovyLdapService.provisionAccessToAccountGLDAP(SaviyntGroovyLdapService.groovy:1130)
at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure3.doCall(SaviyntGroovyLdapService.groovy:301)
at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:255)
at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:10189)
at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure46.doCall(ArsTaskHelperService.groovy:2686)
at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:2677)
at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:158)
at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:143)
at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:216)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)
Root cause of the issue: The missing configurations cause this error and these are required for addition/removal of access on LDAP targets.
The connection configuration attribute at the endpoint must have the following configuration setup.
version 5.x:
<conf><ADDUSERTOENT>True</ ADDUSERTOENT> <ADDMEMBERTOENT>True</ADDMEMBERTOENT></conf> |
Figure 2Connection Configuration in the Endpoint details
The customproperty2 of the entitlement type must be set to the attribute which holds the membership in the LDAP target system in the groups. For example – in Active Directory, groups store the membership in the member attribute of the groups, similarly Open-DJ Directory groups stores the membership in the uniqueMember attribute.
Figure 3 Entitlement type in the Endpoint
Figure 4 Update customproperty2 in the entitlement type
Difference in logs can be observed – uniqueMember(or any other membership attribute) shows up along with the group to be added
2020-12-19 11:53:00,605 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - External connection is :: OpenDJ-LDAP
2020-12-19 11:53:00,608 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - Connection is LDAP.. Setting to FALSE
2020-12-19 11:53:00,611 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - isadconnection = false
2020-12-19 11:53:00,611 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - Exit isADConnection
2020-12-19 11:53:00,616 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - LDAP addmap ::[uniqueMember:uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local,]
2020-12-19 11:53:00,617 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService - LDAP ADD loop
2020-12-19 11:53:00,845 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Inside updateProvisioningTries..
2020-12-19 11:53:00,851 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Inside removeSingleDropDownAccountEntAddTaskAndPushTaskRollBackMapToSavinyt...
2020-12-19 11:53:00,930 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Inside removeAccountEntForSingleDropdownAddTasks ...
2020-12-19 11:53:00,930 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - isSingleDropdownTaskWithRollback - entType : 22, isMemberOf, requestform: 3
2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - isSingleDropdownTaskWithRollback - createArsTaskAction : null
2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - isSingleDropdownTaskWithRollback : false
2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - removeAccountEntForSingleDropdownAddTasks - did not meet criteria of single dropdown add task.
2020-12-19 11:53:00,932 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Entering provisionAccesstoAccountSaviynt
2020-12-19 11:53:00,932 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - {vishal.ray=[com.saviynt.ecm.task.ArsTasks : 18671]}
2020-12-19 11:53:00,933 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - ExistingAccount
2020-12-19 11:53:00,933 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - accountID before merge = uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local
2020-12-19 11:53:00,947 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - accountID after merge = uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local
2020-12-19 11:53:00,952 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Processing task 18671 start
2020-12-19 11:53:00,959 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - completing task = 18671
2020-12-19 11:53:00,960 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService - completing task = 18671 done
Hi @sai_sp can you please help me with the links of saviynt docs to implement users access in LDAP groups - Add/Remove user to an LDAP group.
Hi @sai_sp can you please add the figure 2,3,4 which seems to be missing in the post?