AD Account Creation Error

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi,

I’m experiencing the following error message while trying to create samaccountname in AD. I created a custom tranform that calculates different patterns for samaccountname. I’m currently testing the transform for identities with the same name but it seems that its only calculating the first pattern, as a results, creates the same samaccountname and failing since the object already exists in AD. Can you please advise.

error message:

Exception occurred while executing the RPCRequest: Errors returned from IQService. “The object already exists. 00000524: UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity: CN=John Doe1,OU=testing, DC=Test, DC=testing, DC=Test”

Here’s the transform i created:


[
    {
        "name": "Account",
        "description": null,
        "usageType": "CREATE",
        "fields": [
            {
                "name": "ObjectType",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "User"
                    }
                },
                "attributes": {
                    "template": "CN=$(preferreddisplayname)$(uniqueCounter),OU=User Test,DC=Test,DC=Test,DC=Test",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "distinguishedName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique Account ID"
                    }
                },
                "attributes": {
                    "template": "CN=$(preferreddisplayname)$(uniqueCounter),OU=User Test,DC=Test,DC=Test,DC=Test",
                    "cloudMaxUniqueChecks": "50",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": {
                    "attributes": {
                        "fi1": {
                            "type": "lower",
                            "attributes": {
                                "input": {
                                    "type": "substring",
                                    "attributes":{
                                        "input":{
                                            "type":"identityAttribute",
                                            "attributes":{
                                                "name": "preferredfirstname"
                                            }
                                        },
                                        "begin": 0,
                                        "end": 1
                                        }
                                        }
                                        }
                        },
                       "fi2": {
                            "type": "lower",
                            "attributes": {
                                "input": {
                                    "type": "substring",
                                    "attributes":{
                                        "input":{
                                            "type":"identityAttribute",
                                            "attributes":{
                                                "name": "preferredfirstname"
                                            }
                                        },
                                        "begin": 0,
                                        "end": 2
                                        }
                                        }
                                        }
                        },
                        "fi3": {
                            "type": "lower",
                            "attributes": {
                                "input": {
                                    "type": "substring",
                                    "attributes":{
                                        "input":{
                                            "type":"identityAttribute",
                                            "attributes":{
                                                "name": "preferredfirstname"
                                            }
                                        },
                                        "begin": 0,
                                        "end": 3
                                        }
                                        }
                                        }
                        },
                        "ln": {
                            "attributes": {
                                "input": {
                                    "attributes": {
                                        "name": "preferredlastname"
                                    },
                                    "type": "identityAttribute"
                                }
                            },
                            "type": "lower"  
                        },
                        "patterns": [
                            "$fi1$ln",
                            "$fi2$ln",
                            "$fi3$ln(uniqueCounter)"
                        ],
                        "sourceCheck": false
                    },
                    "type": "usernameGenerator"
                },
                "attributes": {
                    "cloudMaxUniqueChecks": "50",
                    "cloudMaxSize": "20",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "displayName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "displayName"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "manager",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Get Manager LDAP DN"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "password",
                "transform": null,
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "secret",
                "isMultiValued": false
            },
            {
                "name": "givenName",
                "transform": {
                    "attributes": {
                        "name": "firstname"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sn",
                "transform": {
                    "attributes": {
                        "name": "lastname"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "pwdLastSet",
                "transform": {
                    "attributes": {
                        "value": "false"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "IIQDisabled",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "true"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "CN",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Create Group",
        "description": null,
        "usageType": "CREATE_GROUP",
        "fields": [
            {
                "name": "distinguishedName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Update Group",
        "description": null,
        "usageType": "UPDATE_GROUP",
        "fields": [
            {
                "name": "GroupType",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "GroupScope",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "description",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mailNickname",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]
4

Hi Alex,

To properly configure the unique counter, you need to include the attribute cloudMaxUniqueChecks to tell IDN how many numbers patterns to try before giving up. Please see this example from an AD source that I have setup in my tenant for an idea of how to do it. You can also read more about the username generator transform.

{
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(firstname).$(lastname)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
5

I just realized that you do have cloudMaxUniqueChecks specified. What you have is a very complicated create provisioning transform. Pinpointing where this is failing could take some work. Maybe you can try creating a new identity attribute called “Preferred Display Name”, and then use that in your provisioning policy instead of calculating the display name at create time. This would greatly simplify the logic you have.

6

Can you use the account generator to create samaccountname?

7

I’m not entirely sure. It looks like the standard approach to creating a samaccountname is the code I shared above, which references a custom rule called “Create Unique LDAP Attribute”. It looks like that rule can only accept identity attributes, which is why I suggested you create the preferred display name as an identity attribute. Then you can reference the display name using the exact code I shared above. It might look like this:

{
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(preferredDisplayName)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

You could even just configure it in the UI.

image
image855×279 17.5 KB

8

We want to be able to create different patterns here when creating the account. For example, firstname initial and full lastname, first two characters of firstname and lastname etc. Is this possible?

9

It should be. I haven’t tried to do that myself. Maybe you can try doing a simpler username generator transform just to see if you can get it to work, then slowly add back your business requirements until you get the result you want.

10

Is your generator only supposed to use first name initials? Why does the error message show the full first name?

CN=John Doe1

11

for the distinguished name we are calculationg preferreddisplayname as following: CN = John Doe1, OU=testing, DC=Test, DC=testing, DC=Test which is unique. The error is occurring because the samaccountname already exist at the target so it’s not calculating the second pattern I specified in the generator.

12

If I use the generator on accountid which in this case is the distinghishedname I can calculate the different patterns successfully. Is it possible create a regex transform on the samaccountname and fetch the values from the distinghishedname?

13

Ok, I think I know why this isn’t working. The username generator transform only works on the attribute that is marked as the account ID in the attribute schema. The way it works, I believe, is it tries to provision an account using each pattern in the list until one succeeds. If the provision fails, it moves on to the next pattern in the list until the provision succeeds. This is why username generator works for distinguished name, because it is the account ID for active directory sources.

The username generator doesn’t do a lookup in the source system to see which value in the pattern will be unique, and therefore it can’t be used to generate unique account attributes other than the account ID. If you need to create unique account attributes in an Active Directory source, you must use the “Create Unique LDAP Attribute” rule, which has the ability to do a lookup in active directory before provisioning to calculate the unique value. This rule can only accept a single template string to determine uniqueness, which means you will be stuck using the last pattern of "$fi3$ln(uniqueCounter)" to make this rule work. I recommend creating a new identity attribute to hold the samaccountname value that you want to use in the template. Your final provisioning policy can then reference the identity attribute with the unique counter.

image
image753×283 17.2 KB

If you must have the different patterns for the samaccountname, then you will need to engage professional services to build a custom rule that will perform the account attribute lookup using a variable number of patterns.

14

Thanks Collin, this is very helpful. So in this case we have to use the attribute generator rule. Do you have an example.

1 Like
15

I recommend using the UI to configure it. You can select the rule from the drop-down as shown in the image above.

16

@adyer Here is a similar topic to yours. You could look into creating your own custom rule if you desire.