Error(s) reported back from the IQService - Error occurred while disabling the account cn=Sudip.Sir,OU=Users,DC=IIQAD,DC=comFailed to connect to the server for cn=Sudip.Sir,OU=Users,DC=IIQAD,DC=com:There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘DC=IIQAD,DC=com’ . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted Please Ensure the data has been aggregated before performing the operation can anyone help me why i am getting this error while trying the correct approach?
Hi Ishita, Seems like the Active Directory container might be missing or the deleted account where be moved to DeletedObject container, check there once
Hey @kannan_sb85 Is it possible that after the Joiner process, the Leaver process runs immediately without passing through the Mover stage, causing an error? Because this seems to be happening in my case.
Here is my Leaver code:import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
ProvisioningPlan plan = new ProvisioningPlan();
Identity identityObject = context.getObjectByName(Identity.class, identityName);
AccountRequest acctReq = new AccountRequest();
acctReq.setOperation(AccountRequest.Operation.Disable);
acctReq.setApplication(“ActiveDirectory”);
acctReq.setNativeIdentity(“cn=” + identityName + “,OU=Users,DC=IIQAD,DC=com”);
AttributeRequest attrReq = new AttributeRequest(“AC_NewParent”, ProvisioningPlan.Operation.Set, “OU=DisabledOu,DC=IIQAD,DC=com”);
acctReq.add(attrReq);
plan.add(acctReq);
return plan;
I have also created DisabledOu in VMware.
It sounds like you’re experiencing a workflow issue in IIQ. Typically, the Joiner, Mover, and Leaver processes are designed to follow a specific sequence to ensure smooth transitions and avoid errors. However, there can be configurations or triggers that might cause the Leaver process to run immediately after the Joiner process, bypassing the Mover stage.
Here are a few things to check:
-
Workflow Configuration: Ensure that the workflows for Joiner, Mover, and Leaver are correctly configured and that there are no misconfigurations causing the Leaver process to trigger prematurely.
-
Rapid Setup: If you’re using Rapid Setup, verify that the settings for each lifecycle event are properly aligned. Sometimes, issues can arise if the Rapid Setup configurations are not consistent across environments.
-
Approval Steps: Check if there are any approval steps in the Mover process that might be skipped. This can sometimes cause the workflow to move directly to the Leaver stage.
-
Identity Refresh Task: Make sure the Identity Refresh task is configured correctly to process events and create snapshot history. This can help in identifying any discrepancies in the workflow-
If these checks don’t resolve the issue let try to reproduce the issue once again and trace all logs.
The requirement is i have two accounts in my active directory one is created through joiner and one is created manually both have different names but they are given a common attribute such as email
i need to trigger a leaver event which disables these accounts like disable all accounts which are present in sailpoint with same email
like for eg if any account has email as [email protected] so each identity using this email should be disabled and moved to a disabled OU
Can you please help me with steps please i would be highly obliged
Hi,
I think your first step should be to set up a correlation configuration, making sure that the manually created accounts are correlated properly to the identity cube. If you want to do this with a phone number or e-mail address, please make sure the identity attribute is searchable, so you can select it in the correlation configuration. Once you have all the accounts linked to the same identity cube, you can start setting up a workflow or rule that disables these accounts.
Do you need help setting up that configuration?
Kr,
Pieter
yes please can u enlighten about the further steps for this
Here’s a good resource:
Try going to the application definition for AD and go to the Correlation tab. Then hit New in the Account Correlation section. Give it a nice name and then you can define a filter by selecting the application attribute and identity attribute.
If your identity attribute is missing (like ‘phone’), you can mark it as searchable in the Global Settings > Identity Mappings page.
Please let me know if this does the trick for you.
Kr,
Pieter.