Version 8.4
Hello,
We are working on AD provisioning from IIQ. We have noticed that in Plan operation is showing as Create and in IQService it is showing as Modify.
Due to this we are facing “Failed to update identity Attribute issue”
Any idea on this.
Hi Niket,
Can you show the plan? Is there any before provisioning rule in AD app?
Yes. I have created before prov rule to print the plan only and below is it.
ProvisioningPlan nativeIdentity=“268798” targetIntegration=“Active Directory”
AccountRequest application=“Active Directory” nativeIdentity=“CN=268798,OU=CHQ-QA,OU=Users-QA,OU=xxx-QA,DC=xxx,DC=xxx,DC=com” op=“Create”
AttributeRequest name=“distinguishedName” op=“Add” value=“CN=268798,OU=CHQ-QA,OU=Users-QA,OU=xxx-QA,DC=xxx,DC=xxx,DC=com”/
AttributeRequest name=“givenName” op=“Set” value=“DMkucUeYBSrx”/
AttributeRequest name=“sn” op=“Set” value=“DMWinaGAkGpq”/
AttributeRequest name=“cn” op=“Set” value=“268798”/
AttributeRequest name=“userPrincipalName” op=“Set” value="[email protected]"/
AttributeRequest name=“mail” op=“Set” value="[email protected]"/
AttributeRequest name=“userPassword” op=“Set” value=“A5gF9tW2qkx”/
AttributeRequest name=“sAMAccountName” op=“Set” value=“268798”/
AttributeRequest name=“displayName” op=“Set” value=“DMkucUeYBSrx,DMWinaGAkGpq”/
/AccountRequest
/ProvisioningPlan
This is IQservice logs request.
entry key=“Request”
value
AccountRequest application=“Active Directory” nativeIdentity=“CN=268798,OU=CHQ-QA,OU=Users-QA,OU=xxx,DC=xxx,DC=xxx,DC=com” op=“Modify”
AttributeRequest name=“givenName” op=“Set” value=“DMkucUeYBSrx”/
AttributeRequest name=“sn” op=“Set” value=“DMWinaGAkGpq”/
AttributeRequest name=“userPrincipalName” op=“Set” value="[email protected]"/
AttributeRequest name=“mail” op=“Set” value="[email protected]"/
AttributeRequest name=“userPassword” op=“Set” value=“LQsqD7ZmgIMo8nditYiRqC+oNtbq3GbSDUqThL8oaPs=”/
AttributeRequest name=“sAMAccountName” op=“Set” value=“268798”/
AttributeRequest name=“displayName” op=“Set” value=“DMkucUeYBSrx,DMWinaGAkGpq”/
/AccountRequest
/value
/entry
Can you also see in the provisioning transaction and capture more verbose error?
Below are the Provisioning transaction logs.
Error(s) reported back from the IQService - Failed to update attributes for identity CN=268xx,OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com. Failed to connect to the server for CN=268xx,OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com’ 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com’ . HRESULT:[0x80072030]Failed to connect to the server for CN=268xx,OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com’ 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=xx,OU=Users-QA,OU=xx,DC=xx,DC=xx,DC=com’ . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted Please Ensure the data has been aggregated before performing the operation
By the error log it does mention that the account is no more present in the AD or it’s OU has been updated.
Usually what I do before triggering any sort of operation is confirm if the account already exists on the end target system using singleAccountAggregation method.
Have you searched the user with the samaccountName or DN that is present in your ProvisioningPlan?
If an object already exists then IQService will treat it as Modify operation.
That’s a actualy quite interesting - seems like something is changing operation from Create to Modify - if you check provisioning transactions log - do you see it still as Create or Modify?
@amansingh that’s the case - @niket345 is trying to create account but iqService is modifying it (althought it does not exist).
My suspicion is that somwhere there is code which is changing operation from Create to Modify - question is more - where? if not in before provisioning rule - we have still connector before rule which we need to check if there is one.
@kjakubiak No its Provisioning Logs, Operation is Create.
Just to add that I am using OOTB LCM Provisioning and not written any Custom code for Joiner.
Hello,
This issue is due to missing one or more attributes in the plan. Or the atttibutes you are sending may be not in specified format.
Recheck the all attributes and values then correct it.
If any attribute missed then sailpoint retried and mark as modified.
Thanks,
Siva.K
@niket345
I could see distinguishedName has Add Operation , is there any specific reason you are doing that?
Are you creating provisioning plan from a rule or a code instead of provisioning policies, if so please share the code and also try changing the operation to Set and check this.