AD is not getting provisioned

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hello All,

We did rapid setup for provisioning AD account to newly created ID based on some script. RapidSetup Joiner event is getting triggered for newly aggregated ID but AD is not getting provisioned.
I check the “Admin Console” too for provisioning transaction, but there is no transaction for this provisioning. I have even checked the logs, we don’t find anything there too.
Ideally, it should work now as all the conditions are met. I replicated similar kind of requirement in my local device for JDBC provisioning and it is working fine. But, for client we are trying to do the same for AD provisioning, it is not taking place.
If anyone can please help.

Thank you in advance! :slight_smile:

Have you tried requesting an AD entitlement from AD for an identity that does not have an AD account, does this provision a new account?

Hello @venus

Sorry, I didn’t get your question.
We have RapidSetup Joiner event configured for workday and AD application. Once new ID is aggregated from Workday, their account should also get provisioned in AD as per requirement. The condition that is mentioned for RapidSetup Joiner event for AD provisioning is met now, but provisioning is not taking place (AD account is not getting created).

I was asking to check if there are no issues with the actual AD provisioning and it works if you manually request an AD group via Manager User Access quick link.

Did it created any Access Request ? or check if any form / approval item is created .

can you validate if the newly created identity satisfies the population membership criteria mentioned in the RapidSetupConfiguration.xml. There must be an entry (key=“identSelectorDTO”) under which the the population must be mentioned

Hello @vishal_kejriwal1

That’s the issue, we cannot see any access request also for provisioning. Not even any transaction in the “Admin Console”

Actually, we have given the condition in form of script for the event to get triggered. We have checked and, the condition is satisfied but still provisioning is not taking place.

There is no issues with actual AD provisioning most probably. Actually, we don’t have the complete access to the system. I can see some provisioning request for AD in admin console which are successful.
Not sure, why it is not getting triggered in our case.

Is it possible to try adding a simple criteria condition based on user profile attribute to see if the event is triggered for the concerned user? In the logs do you see any issue with the AD - mandatory policy form attributes population that may be preventing the successful provisioning of the AD account to user.

Can you try enabling the loggers and see if the provisioning is actually taking place ?

Enable loggers for AD connector for the below classes

sailpoint.connector.ADLDAPConnector
sailpoint.connector.LDAPConnector

Enable trace in the joiner workflow

Log the provisioningplan in the before provisioning rule and provisioningresult in the after provisioning rule in the AD connector

Did you check if any work item is open ?

Hello @pallavi @Abhisinha89 @vishal_kejriwal1 ,

Please find attached the logs above.
There is one “Before Provisioning Rule” set in AD where we tried to print log statement (log.debug(“****** ABCDEFGHIJ ******”); ) in starting so that we get to know the issue. But in logs we don’t see this provisioning rule.

The Identity Attribute in your AD Application is not set to a unique attribute (generally it is distinguishedName). Are you providing a unique value for the Identity Attribute in the provisioning plan?

It seems your provisioning plan do not have the Native Identity value specified and hence the request is failing before provisioning

please check the create provisioning plan and set the

AD provisioning is still not taking place. If someone have any kind of solution or article that can help me in this case. please let me know.

Hi Arpita,
I think it would be helpfull if you could paste here AD App definition together with before provisioning rule if you have any (of course after anonymization) so we could take a look on this.

Hello @kjakubiak

Please find attached below the before provisioning rule that we are using:
beforeprov.xml (1.9 KB)

Sorry, it would be little difficult to paste the app definition. But, please let me know what all details you need. I’ll surely try to provide you all the details.

Thank you! :slight_smile:

Hi Arpita
This call

	if(null!=plan) {
		plan=checkAttrSync(plan);
	}

is doing something with your plan but there’s no code for this method in the before provisioning so I suspect it is in the rule library - could you also add this method?

Second thing I found

	if(null!=acctReqList){
		for(AccountRequest accReq : acctReq){
			plan.add(accReq);
		}
	}

are you sure the list you are trying to iterate over is acctReq not acctReqList ?

Hello @kjakubiak

In second piece of code, its acctReqList. Actually, I typed it from the code that why here it got typo mistake but in actual code, it is “acctReqList”.

For first, its a big piece of code. If you want let me prepare it and share it with you.

Can this issue have anything related to the task through which we are aggregating?

This method might be usefull - based your screenshot error is thrown from provision method - so it’s nothing to do with Aggregation actualy.

Answering your first part of question - in your before provisioning rule you are checking if account/attribute requests are not null - if method is setting them to null then yes it might cause problems.