BeforeCreate rule to change 'countryCode' operation in Active Directory

There appears to be an issue with IIQ/IDN when creating new accounts with ‘countryCode’ attribute specified in the provisioning policy. Windows AD defaults the ‘countryCode’ attribute to value=0 upon account creation, but when IQ service trys to add this attribute it fails with “directory attribute already exists”. It seems that I need a
BeforeCreate connector rule to change the operation value form “add” to “set” to properly add the ‘countryCode’ attribute value during account create.

Seems simple enough, but what is missing from this ps1 script?

    foreach ($attribute in $requestObject.AttributeRequests) {
        if ($attribute.Name -eq "countryCode" -and $attribute.Operation -eq "Add") {
            $attribute.Operation = "Set";
        }
    }

Thanks,
Mike

Hi @mgawlowski

1. Can you let me know how you are passing the countryCode attribute in your Active Directory provisioning policy?

2. Is it in the right format as per AD standards?

Hi @mgawlowski

As @rajeshs mention, please first refer Provisioning Policy to check what value you are passing in countryCode attribute.

If your source is IDN attribute, please check that countryCode attribute is mapped properly.

From other side,if attribute is being set by transform rule, please check that transform is setting the value properly

@rajeshs it comes from an identity attribute with a transform. The AD schema has been set to type=‘int’ because that is what Active Directory uses for countryCode. The transform works fine:

image1887×337 5.22 KB

But IIQ is failing to add the attribute using an ‘add’ operator because the attribute already exists, according to the error:

image979×390 15.2 KB

image958×410 48.5 KB

I am pretty confident that this can only be resolved by a connector rule to correct the operator during creation. What would be the best method to achieve that?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.