Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

LDAP Access Provisioning Issue - LDAP: error code 65

sai_sp
Saviynt Employee
Saviynt Employee

on ‎09/06/2023 07:51 PM

Use case: Issue with Add access tasks not completing or adding groups to user account at target and getting an error code 65

 

Target System: This is applicable for AD connector being used for LDAP target systems.

Applicable SSM versions: v5.4.0 and onwards

 

Error in the pending task:

 

 

 

Figure 1Pending task failing with LDAP error code 65

 

Excerpt from the application debug logs for the issue

2020-12-19 11:35:21,126 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - External connection is :: OpenDJ-LDAP

2020-12-19 11:35:21,129 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - Connection is LDAP.. Setting to FALSE

2020-12-19 11:35:21,130 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - isadconnection = false

2020-12-19 11:35:21,130 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - Exit isADConnection

2020-12-19 11:35:21,144 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - LDAP addmap ::[:uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local,]

2020-12-19 11:35:21,144 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - LDAP ADD loop

2020-12-19 11:35:21,434 [quartzScheduler_Worker-2] ERROR ldap.SaviyntGroovyLdapService  - Exception

javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local cannot be modified because the resulting entry would have violated the server schema: Entry commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local violates the Directory Server schema configuration because it includes attribute  which is not allowed by any of the objectclasses defined in that entry]; remaining name 'commonName=devtool-sqldeveloper,organizationalUnitName=groups,ou=test,dc=localopendj,dc=local'

        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2998)

        at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1503)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)

        at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)

        at com.saviynt.ldap.SaviyntGroovyLdapService$_provisionAccessToAccountGLDAP_closure5.doCall(SaviyntGroovyLdapService.groovy:1212)

        at com.saviynt.ldap.SaviyntGroovyLdapService.provisionAccessToAccountGLDAP(SaviyntGroovyLdapService.groovy:1130)

        at com.saviynt.ldap.SaviyntGroovyLdapService$_createAccountGLDAP_closure3.doCall(SaviyntGroovyLdapService.groovy:301)

        at com.saviynt.ldap.SaviyntGroovyLdapService.createAccountGLDAP(SaviyntGroovyLdapService.groovy:255)

        at com.saviynt.ecm.services.ArsTaskService.createAccountTarget(ArsTaskService.groovy:10189)

        at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsThreeNewAccountAccess_closure46.doCall(ArsTaskHelperService.groovy:2686)

        at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsThreeNewAccountAccess(ArsTaskHelperService.groovy:2677)

        at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:158)

        at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:143)

        at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:216)

        at org.quartz.core.JobRunShell.run(JobRunShell.java:199)

        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546) 

 

 

Root cause of the issue: The missing configurations cause this error and these are required for addition/removal of access on LDAP targets.

 

Steps for Solution

 

  1. Validate Connection Configuration at the Endpoint

 

The connection configuration attribute at the endpoint must have the following configuration setup.

version 5.x:

<conf><ADDUSERTOENT>True</ ADDUSERTOENT> <ADDMEMBERTOENT>True</ADDMEMBERTOENT></conf>

 
Version 23.x
{“conf”:[{“ADDMEMBERTOENT”:“TRUE”},{“ADDUSERTOENT”:“TRUE”}]}

 

Figure 2Connection Configuration in the Endpoint details

 

2. Validate customproperty2 of the entitlement type

 

The customproperty2 of the entitlement type must be set to the attribute which holds the membership in the LDAP target system in the groups. For example – in Active Directory, groups store the membership in the member attribute of the groups, similarly Open-DJ Directory groups stores the membership in the uniqueMember attribute.

 

 

               Figure 3 Entitlement type in the Endpoint

 

 

                Figure 4 Update customproperty2 in the entitlement type

3. Re-run the Provisioning Job – WSRetry

 

Difference in logs can be observed – uniqueMember(or any other membership attribute) shows up along with the group to be added

2020-12-19 11:53:00,605 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - External connection is :: OpenDJ-LDAP

2020-12-19 11:53:00,608 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - Connection is LDAP.. Setting to FALSE

2020-12-19 11:53:00,611 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - isadconnection = false

2020-12-19 11:53:00,611 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - Exit isADConnection

2020-12-19 11:53:00,616 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - LDAP addmap ::[uniqueMember:uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local,]

2020-12-19 11:53:00,617 [quartzScheduler_Worker-4] DEBUG ldap.SaviyntGroovyLdapService  - LDAP ADD loop

2020-12-19 11:53:00,845 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - Inside updateProvisioningTries..

2020-12-19 11:53:00,851 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - Inside removeSingleDropDownAccountEntAddTaskAndPushTaskRollBackMapToSavinyt...

2020-12-19 11:53:00,930 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - Inside removeAccountEntForSingleDropdownAddTasks ...

2020-12-19 11:53:00,930 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - isSingleDropdownTaskWithRollback - entType : 22, isMemberOf, requestform: 3

2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - isSingleDropdownTaskWithRollback - createArsTaskAction : null

2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - isSingleDropdownTaskWithRollback : false

2020-12-19 11:53:00,931 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - removeAccountEntForSingleDropdownAddTasks - did not meet criteria of single dropdown add task.

2020-12-19 11:53:00,932 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  -  Entering provisionAccesstoAccountSaviynt

2020-12-19 11:53:00,932 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - {vishal.ray=[com.saviynt.ecm.task.ArsTasks : 18671]}

2020-12-19 11:53:00,933 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - ExistingAccount

2020-12-19 11:53:00,933 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - accountID before merge = uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local

2020-12-19 11:53:00,947 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - accountID after merge = uid=vishal.ray,organizationalUnitName=people,ou=test,dc=localopendj,dc=local

2020-12-19 11:53:00,952 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - Processing task 18671 start

2020-12-19 11:53:00,959 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - completing task = 18671

2020-12-19 11:53:00,960 [quartzScheduler_Worker-4] DEBUG services.ArsTaskService  - completing task = 18671 done

 

 

Validation Step:

 

Task completed successfully 

 

0 Kudos
Comments
GauravJain
Regular Contributor
Regular Contributor
‎10/03/2023 06:40 AM

Hi @sai_sp can you please help me with the links of saviynt docs to implement users access in LDAP groups - Add/Remove user to an LDAP group. 

GauravJain
Regular Contributor
Regular Contributor
‎10/03/2023 07:18 AM

Hi @sai_sp can you please add the figure 2,3,4 which seems to be missing in the post?

Version history
Last update:
‎09/06/2023 07:51 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC