Adding a specific attribute breaks provisioning in Active Directory

ninfante · December 17, 2024, 7:14pm

Hi all!

Hope everything’s going well.
We are working on the integration of an AD connector in INow, and so far everything works. We can read, modify and create accounts in AD.
Now, I’ve got the requirement of adding a couple of additional attributes in the schema that need to be populated when the account is created.
Most of them worked, I’ve been adding one by one, testing that each attribute is being sent correctly to AD without any issue.
Everything worked until I tried to add the attribute uidNumber.
This attribute exists in AD, and also is present in our schema. When we run the aggregation, SailPoint is able to read the values that are present in those accounts that contain a valid value.
We also tried sending a static value and it worked for some reason, but when we map the value to be grabbed from the identity, it fails saying:

Errors
Account created but some attributes are not updated properly.

Warnings
Account created but failed to modify : Failed to update attributes for identity CN=nflander,OU=TestOU,DC=exampledc1,DC=exampledc2. The attribute syntax specified to the directory service is invalid.

Stage
Completed with errors. Refer to the remediation status report.

Have you received this error from SailPoint?

Thanks in advance!

jishnu_suresh · December 17, 2024, 8:09pm

Hi Nicolas,

This looks like an issue due to mismatch in datatype of the value you are trying to push and the datatype of the AD schema.
Please refer to the post below.

ninfante · December 18, 2024, 7:53pm

Hi Jishnu! Thanks for replying.
Yes, I thought about this, but the issue is that the value I’m trying to send is already a number.
This number is being generated by a transform, which is used to add a number to another attribute that holds the user id, and the result is shown as an identity attribute.
Let’s say that the identity number is 100 and the number that is added is 200, so the final attribute is 300.
This is the value that I try to send to AD, but for some reason AD doesn’t accept this value."

The user id is like this in the identity “identificationNumber”: 1234567890
The transform, if helps, that I use to generate the identity attribute is the following:


{
	"name": "FinalEmployeeNumber",
	"type": "static",
	"attributes": {
		"employeeNumber": {
			"attributes": {
				"values": [
					{
						"attributes": {
							"name": "identificationNumber"
						},
						"type": "identityAttribute"
					},
					"00"
				]
			},
			"type": "firstValid"
		},
		"value": "#set( $Integer = 0 ) #set( $numberAsString = $employeeNumber ) #set( $parsedNumber = $Integer.parseInt($numberAsString) ) #set( $baseNumber = 20000 ) #set( $finalNumber = $parsedNumber + $baseNumber ) $finalNumber"
	}

edmarks · December 18, 2024, 11:24pm

A suggestion for testing would be to create a “Test Attribute” for the identities and then populate this value in the associated identity profile using the same transform.

This would create a human readable value directly on the identity that you could look at to confirm if it’s the expected value (at least as a “string”).

j_place · December 19, 2024, 2:18pm

I would check you’re not out of bounds of the Int32 data type System.Int32 struct - .NET | Microsoft Learn

system · February 17, 2025, 2:19pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.