Hi,
I am currently working on a project in IdentityNow in which I have to configure the provisioning of Active Directory accounts based on the Lifecycle State of an identity. I have set up the configuration in the Identity Profile ‘Provisioning’ tab. However, I am running into the following issue during account creation:
“Exception: sailpoint.connector.ConnectorException: [ InvalidConfigurationException ] [ Error details ] Required string attribute ‘User’ is not defined.It must have a valid value.”
I am unsure where this is even coming from, as in my ‘Account’ file there is no such attribute called ‘User’. It does not exist anywhere in my files, however it is causing an error when creating AD accounts. I also find it odd that an attribute could be both required and not defined at the same time.
Has anyone else run into this issue before? What could be prompting this?
Some things have been customized, namely custom transforms for the distinguishedName, sAMAccountName, and initial AD password, as well as some extra attributes that are copied directly from the identity profile mappings.
My configuration for the ObjectType is exactly what Krish posted in another reply. Here is what I have for the sAMAccountName (very similar for distinguishedName and password):
No need of JSON, just get us the screenshots of create account provisioning policy from UI.
I guess you copied some attributes definition and pasted in create account policy.
As per the error, there is an attribute User in your create account provisioning policy form, it configured as required in the backend. But no value, so the exception.
OK, can you get us the account request by masking sensitive data. You can find that in search. Just search with user account id, you can find under Account Activity.
The problem is with the format you used to generate DN.
You are using firstName, middleInitial, Lastname and dnOU identity attributes. Check if user doesn’t has value for any attribute. That might help you to understand the issue.
I have checked and the user is correctly receiving a first name, middle initial, last name, and OU in the identity profile. Is there anything else that could be the issue? I have a list of 4 patterns and it is failing at the last pattern, meaning the previous patterns are failing due to non-uniqueness (is this correct?). So, for some reason it is seeing certain CNs as already existing despite the fact that this user has never been created in AD before.
I ended up being able to resolve the issue by creating a new AD connector with the same configuration as the old one. Not entirely sure why that solved it, but give it a try.