An error occurred while aggregating Application Active Directory [source]

phil_awlings · June 3, 2024, 9:44am

My Active Directory connector was working fine on Friday, but has stopped provisioning accounts this morning. I CAN still manually aggregate all accounts, single accounts, enable and disable individual accounts via SP.

This is the full error message:

Error generating a unique value, the exception was:
java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:LDAPUniqueValueValidator: Searching for objectType 'account' using options '{deltaAggregation=false, cloudConfigOverrides={aggregateTimeout=30, deltaIterationMode=NONE, disablePooling=true, timeout=30, iterateSearchFilter=(&(sAMAccountName=tbrace91))}}' on source 'Active Directory [source]'. Exception: java.lang.RuntimeException: An error occurred while aggregating Application Active Directory [source]

Has anyone come across this type of error before?
Many thanks
Phil

ashutosh08 · June 3, 2024, 9:51am

Hi @phil_awlings,

Please check the filter that you are applying whether that is returning correct data or not.
Please see if this discussion helps.

Thanks

phil_awlings · June 3, 2024, 10:05am

I’ve rolled back the CREATE settings to the last save point, and checked the source configuration.
It appears that it is just the LDAP query which is failing which comes from this attribute rule inside the ‘account CREATE’:

{
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            }

ashutosh08 · June 3, 2024, 10:08am

Issue is resolved or you want help with the rule?

Thanks

phil_awlings · June 3, 2024, 10:24am

The issue is not resolved, and I don’t understand why it has stopped working.
All settings were unchanged over the weekend.
Its an OOB connector so the search settings (apart from the sAMAccountName) are preset.
And as I said in my original statement, I can manually aggregate the source for both individual and bulk accounts

ashutosh08 · June 3, 2024, 10:39am

Hi @phil_awlings,

Are you facing issue during account creation? If it is with creation, then what all changes you did after it started failing?

Is it during aggregation you are facing issue?

Thanks

phil_awlings · June 3, 2024, 10:46am

It is just during the account creation process:
I’ve:

rolled back the configuration of the CREATE function to a saved point,
checked the schema,
checked the configuration file against the saved Master copy
rebooted the server that the AD is stored on.
gone onto the server and checked its configuration and navigated around
manually aggregate all accounts and entitlements (they work fine)
manually aggregated a single account. (that works)
enable and disabled a single account (that works)
checked the dashboard for any ‘hung’ processes

About to manually change some identity attributes to see if the sync process is working, then I am at a loss after that

Edit: sync process for updating attributes works.

ashutosh08 · June 3, 2024, 10:55am

Hi @phil_awlings,

What are the changes in account creation step?
Also, please share account creation rule “Create Unique LDAP Attribute”.

Thanks

jesvin90 · June 3, 2024, 11:11am

Hi @phil_awlings,

Did you change the search filter to include only a single user.?

The error indicates the filter as SearchFilter=(&(sAMAccountName=tbrace91))

If yes, can you revert that to the previous settings and see if it works. I believe the rule looks into AD through the search filter defined in the connector configuration.

phil_awlings · June 3, 2024, 11:28am

“Create Unique LDAP Attribute” is a Sailpoint Rule, not something that was created bespoke for us.

Account Profile Attribute Generator (from Template) | SailPoint Developer Community

phil_awlings · June 3, 2024, 11:32am

Hi @jesvin90 ,

No changes made by me. Its a Sailpoint rule. and it needs to only look at a single user for a uniqueness check. Here’s the whole of the attribute :

{
    "name": "sAMAccountName",
    "transform": {
        "type": "rule",
        "attributes": {
            "name": "Create Unique LDAP Attribute"
        }
    },
    "attributes": {
        "template": "$(samaccountnameCalculate)$(uniqueCounter)",
        "cloudMaxUniqueChecks": "10",
        "cloudMaxSize": "20",
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

tysremi · June 3, 2024, 11:53am

Not sure if you’ve already seen it, but there’s an outage posted on the Sailpoint Status page on this:

phil_awlings · June 3, 2024, 12:41pm

EDIT: Fixed my own error

phil_awlings · June 3, 2024, 12:55pm

Follow up question:
This is the error message that I was meant to be working on this morning for account creation:

Account created but failed to modify : Failed to update attributes for identity CN=tbrent44,OU=Teaching Staff,OU=Users,OU=2046677,OU=Primary,OU=Schools,DC=edpoc,DC=net. The specified directory service attribute or value does not exist.

Do we think that this is related?
All attributes that I am trying to create are in the schema

system · August 2, 2024, 12:55pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error with AD account ISC Discussion and Questions	12	6462	July 19, 2023
LDAP error during AD Account Aggregation IIQ Discussion and Questions aggregation , identityiq , connectors	6	263	November 16, 2024
Getting error during AD creation ISC Discussion and Questions aggregation , identity-security-cloud	9	1290	June 22, 2023
Connection Reset in active directory ISC Discussion and Questions identity-security-cloud	13	359	October 12, 2024
AD Entitlement Aggregation - Failure ISC Discussion and Questions	5	3196	July 19, 2023

An error occurred while aggregating Application Active Directory [source]

Related topics