AD provisioning fail

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello Experts,

I am working on AD provisioning from IIQ and getting below error. Please help me to fix this issue.

I am creating the account in AD but in logs its showing failed to update the attributes for identity.

Error(s) reported back from the IQService - Failed to update attributes for identity cn=C31xxxx,OU=CHQ-QA,OU=xxxx,OU=xxx,DC=xxx,DC=xxx,DC=com. Failed to connect to the server for cn=C315434,OU=CHQ-QA,OU=xxxx,OU=xxx,DC=xxx,DC=xxx,DC=com:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted
Please Ensure the data has been aggregated before performing the operation

Thanks

2

@niket345
What kind of operation you are trying to do here?

Looking it at the logs, it might be a modify and the object is not present on target, did you check if the object you are trying is present in target
cn=C31xxxx,OU=CHQ-QA,OU=xxxx,OU=xxx,DC=xxx,DC=xxx,DC=com

Please check this.

Also if its a create account operation, please check if all the attributes like manager are correctly passed for the object ( like manager is present in the same AD domain etc.)

1 Like
3

Hi @niket345

I can see that the based on the above error message you are trying to create AD accounts.

  1. Check if the DC is reachable
  2. Validate the object in the target (AD)
  3. Validate all the attributes which you are passing to perform the create operation
  4. Try creating a new AD account and check for any errors
1 Like
4

Hello Rajesh,

Thanks for the response

I believe DC is reachable as AD team confirmed that they can see the log events like Account is created and immediately it got deleted due to errors.

Also for now i am creating the AD account via Rule with few attributes like DN, SAMAccountName, Password, CN , firstname and last name. Please let me know if any mandatory attributes to add.

5

Please list down the attributes you are passing and does the password comply with the policy at AD side and how about manager, are you passing that?

6

Hello Satish,

Yes password is as per AD policy only.

I am getting Manager ID is null so not passing into the plan.

Below are the attributes and my plan.

ProvisioningPlan
AccountRequest application=“Active Directory” nativeIdentity=“CN=268798,OU=CHQ-QA,OU=Users-QA,OU=xxxxxx-QA,DC=xxxxxx,DC=xxxxxx,DC=com” op=“Create”
AttributeRequest name=“distinguishedName” op=“Add” value=“CN=268798,OU=CHQ-QA,OU=Users-QA,OU=xxxxxx-QA,DC=xxxxxx,DC=xxxxxx,DC=com”/
AttributeRequest name=“givenName” value=“DM-kucUeYBSrx”/
AttributeRequest name=“sn” value=“DM-WinaGAkGpq”/
AttributeRequest name=“cn” value=“DM-WinaGAkGpq, DM-kucUeYBSrx”/
AttributeRequest name=“mail” value="[email protected]"/
AttributeRequest name=“userPassword” value=“A5gF9txxxxx”/
AttributeRequest name=“sAMAccountName” value=“268798”/
AttributeRequest name=“displayName” value=“DM-WinaGAkGpq, DM-kucUeYBSrx”/
AccountRequest
ProvisioningPlan

8

Where are you passing userPrincipalName, this should be a mandatory attribute for AD Account creation process.
Please make sure you send this and see if its working

1 Like
9

I have added “userPrincipalName” into the plan but getting same error.

Any idea what would be the cause for this issue.

Thanks

10

Can you give the complete plan log here with the latest change, also I see your CN and Distinguished Name are not as per standard , CN should be part of your DN - please check,your CN Should be part of your distinguished Name

11

Okay let me try to share the latest logs with you and do have any sample plan for AD so i can compare with my code

12

@niket345
Can you please let me know where are you creating the plan, is it through provisioning policy or from a rule or somewhere in Before provisioning Rule, if its through rule or somewhere in before provisioning rule, share your code please

13

Hi,
Are you seeing any object been created on active directory with some basic information? Do you have a multi domain AD environment? This can be due to latency issue or replication issue on AD.

Thanks

14

Hi @niket345 Were you able to resolve this issue?

15

Sorry for delay response.

yes. there is issue with the AttributeName and values. we are passing into the wrong format.