Active Directory DistinguishedName Generation in Create Profile

Hi Team,

We have a requirement to generate unique DN value during AD Account creation. So, we have used Generator → Create Unique Account ID in create profile. It’s generating unique DN with counter is 1, but it requirement is if there is a duplicate record then it should start 2. Below is the pattern we have used.
CN=$(lastNameAd), $(firstNameAd) $(middleInitial)$(uniqueCounter),OU=Users,DC=Test,DC=COM

Team, please share your thoughts.

Thank you.
Rajesh

1 Like

As far as I’m aware the behavior of the UniqueCounter cannot be changed and it will always start at 1.

You might want to look into creating your own Account Profile attribute Generator rule to achieve a solution for your use case.
More info on this type of rule can be found below:
Account Profile Attribute Generator

{
                "name": "distinguishedName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique Account ID"
                    }
                },
                "attributes": {
                    "template": "CN=$(lastNameAd).$(firstNameAD)$(middleInitial)$(uniqueCounter),OU=Users,DC=Test,DC=COM"
                    "cloudMaxUniqueChecks": "50",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }

Try using this @Rajesh_Thota1 .

Thanks.

1 Like

Hi @Rajesh_Thota1

I agree with Gokul’s suggestion. You will need to use the cloud rule to generate the unique DN.

In addition to the transform @GOKUL_ANANTH_M has shared, please make sure that you have defined the lastNameAd, firstNameAd and middleInitial above the DN attribute calculation in create account policy.

In addition to that, i believe you may also need to make DN field searchable field so that the cloud rule can validate the uniqueness check, but you can test that.

I hope this helps.

Regards
Vikas.

Hi @GOKUL_ANANTH_M @vguleria ,

Thank you for the response given.

But as per requirement “uniqueCounter” value should start with 2 if there is a duplicate record found. As per below template it will start with “1”.
“template”: “CN=$(lastNameAd).$(firstNameAD)$(middleInitial)$(uniqueCounter),OU=Users,DC=Test,DC=COM”

Could you share thoughts on this.

Thanks

Hi @Rajesh_Thota1

Yes, that is the idea. If the account with 01 is already aggregated into ISC source and you make the DN as the searchable field, then when you request new account, the unique counter should be 02.

The main thing is ISC should be able to read the DN of already available objects in AD and in the rule the uniqueness check should be performed on the DN attribute which will work when the DN account attribute is made searchable via below API.

I hope this helps.

Regards
Vikas.

Yes, that’s the thing. If there is an pre-existing account with ‘1’ as value, when you create a new account with the sample name, this duplicate record will contains the value ‘2’.

I hope the DN value will be searchable in terms of AD. So, this should work probably.

Thanks!

Hi @GOKUL_ANANTH_M @vguleria ,

Let me make it more clear.
Case1: FN: Rajesh and LN: Thota and DN is “CN=Rajesh, Thota,OU=Users,DC=Test,DC=COM”
Case2: IFN: Rajesh and LN: Thota, then DN should be
CN=Rajesh, Thota2,OU=Users,DC=Test,DC=COM

Thanks

You could try hard coding the counter with patterns on the usernameGenerator. This obviously has the limitation that you need to specify all of the counters manually, but eliminates needing to make a separate rule in cases where you do not expect to need the upper limit of uniqueCounter.

{
    "name": "distinguishedName",
    "transform": {
        "type": "usernameGenerator",
        "attributes": {
            "sourceCheck": true,
            "patterns": [
                "CN=$fn $ln,OU=Users,DC=Test,DC=COM",
                "CN=$fn $ln 2,OU=Users,DC=Test,DC=COM",
                "CN=$fn $ln 3,OU=Users,DC=Test,DC=COM"
            ],
            "ln": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "lastname"
                }
            },
            "fn": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "firstname"
                }
            }
        }
    },
    "attributes": {
        "cloudMaxUniqueChecks": "5",
        "cloudMaxSize": "200",
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}
{
          "name": "cn",
          "transform": {
              "type": "rule",
              "attributes": {
                  "name": "Create Unique LDAP Attribute"
              }
          },
          "attributes": {
              "template": "$(lastNameAd).$(firstNameAD)$(middleInitial)$(uniqueCounter)",
              "cloudMaxUniqueChecks": "50",
              "cloudMaxSize": "20",
              "cloudRequired": "true"
          },
          "isRequired": false,
          "type": "string",
          "isMultiValued": false
      },
      {
          "name": "distinguishedName",
          "transform": {
              "type": "usernameGenerator",
              "attributes": {
                  "sourceCheck": true,
                  "patterns": [
                      "CN=$cn,OU=Users,DC=Test,DC=COM",
                      "CN=$cn$(uniqueCounter),OU=Users,DC=Test,DC=COM"
                  ]
              }
          },
          "attributes": {
              "cloudMaxUniqueChecks": "5",
              "cloudMaxSize": "200",
              "cloudRequired": "true"
          },
          "isRequired": false,
          "type": "string",
          "isMultiValued": false
      }

try using this.

Hi Rajesh,

Thank you for clarifying. In this case, you need to apply the rule on CN attribute and make sure that the CN attribute is created above the DN attribute in create account policy.
In CN attribute, then you will need to use the counter variable and make it searchable.

Then in the DN attribute you can just use the dynamic variables like CN=$CN,OU=Users,DC=Test,DC=COM.

This should do the trick for you. Please let me know if you have any further queries, happy to assist.

NOTE:- If your AD has the cases where CN could contain duplicate values across different org units, then i suggest you to create your own cloud rule to ensure that the CN is unique as that will difficult to handle.

Thank You.
Regards
Vikas.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.