Hello everyone, In my environment I want to create AD account trough a lifecycle state that assign a new AD accounts. The point is that I want to visualize the accounts on the AD with the display name and not with the username that is assigned to that account. I discovered that I have to change the CN as the value of the display name to achieve this goal, but the problem is that I have changed the CN mappings from the “create account” to the be mapped with the displayName , but it is still being created with the CN=username. Do you have any suggestions?
Hey Salvatore,
If I understand this correctly, you want to:
- Create AD accounts via a lifecycle state (e.g., ‘onboarding’, ‘active’)
- The CN of the AD account to be set to the Display Name, not the Username
You have already completed:
- Mapped the CN attribute in the ‘Create Account’ provisioning policy to Display Name
However, the account is still being created with CN = username
Based on SailPoint’s documentation and other discussions on this forum, it looks like mapping the CN to displayName is possible but may require using special attributes like AC_NewName in the provisioning plan to override the default behavior.
Even if the CN is mapped in the Create Account policy, the connector might still default to using username unless explicitly instructed otherwise. It’s also worth checking if the identity has a valid displayName before provisioning and confirming that there are no conflicting mappings in the schema or connector config.
Please review the below documentation and discussion of the same question:
- Documentation: Default Provisioning Attribute Reference
- Discussion: Similar/Same Question asked
If you need further help, please provide a copy/paste of the create policy JSON and ensure that you have a valid display name coming in on the identity
1 Like
HI @s_tartaglione ,
Kindly use DN(Distinguish Name) rather than CN to display user display Name. Also keep a note that if you are defining DN with the dynamic username value than first you need to define CN under create provisioning policy and then DN so that declared dynamic CN can be utilized under DN value.
Please review the below links for your reference as per @daltonherriman as it will help you to understand more to resolve the issue.
1 Like
Actually I’m using this provisioning policy for the DN:
{
"name": "distinguishedName",
"transform": {
"type": "concat",
"attributes": {
"values": [
"CN=",
{
"type": "static",
"attributes": {
"value": "$sAMAccountName"
}
},
",OU=TST,OU=Suppliers,DC=it"
]
}
And it works fine, but if I change it to:
{
"name": "distinguishedName",
"transform": {
"type": "concat",
"attributes": {
"values": [
"CN=",
{
"type": "identityAttribute",
"attributes": {
"name": "displayName"
},
",OU=TST,OU=Suppliers,DC=it"
]
}
}
I have problems in the add the entitlements of AD creation.
Hi @s_tartaglione ,
Could you please share if any encountered error displaying during account provisioning request. Also do share the provisioningRequest with the DN value.
In case if transform unable to set identity displayname. Please use the beforeProvisioningRule and set the DN value in AD by using “AC_NewName”.
Let me know if you still see any issues post configuring above suggested steps.
This is the error that I got:
["Exception occurred while executing the RPCRequest: Errors returned from IQService. \"Failed to connect to the server for Testt1 (MAGNETI),OU\u003dTST,OU\u003dSuppliers,OU\u003dUsers,OU\u003dWeb,DC\u003dit:An invalid dn syntax has been specified. An invalid dn syntax has been specified. 0000208F: NameErr: DSID-03100233, problem 2006 (BAD_NAME), data 8350, best match of: \t\u0027Testt1 (MAGNETI),OU\u003dTST,OU\u003dSuppliers,OU\u003dUsers,OU\u003dWeb,,DC\u003dit\u0027 0000208F: NameErr: DSID-03100233, problem 2006 (BAD_NAME), data 8350, best match of: \t\u0027Testt1 (MAGNETI),OU\u003dTST,OU\u003dSuppliers,OU\u003dUsers,OU\u003dWeb,,DC\u003dit\u0027 . HRESULT:[0x80072032]Failed to connect to the server for Testt1 (MAGNETI),OU\u003dTST,OU\u003dSuppliers,OU\u003dUsers,OU\u003dWeb,DC\u003dit:An invalid dn syntax has been spe...ming the operation "]
@s_tartaglione , kindly look for the provisioningResult as the issue is returned by IQService during provisioning. It’s completely due to the incorrect format for the provided DN value.
Please the check the passed DN value. Also make sure that the DN should be valid on AD side as well before provisioning.
IHTH 
Ok, but how I can check if the DN is valid or not on AD?
You can check if the formed DN path( from Activity Logs/Provisioning Transactions) exists on AD or not.
To check the same go to AD and search under Entire directory the available OU’s and accordingly check if passed/formed DN from SailPoint exists or not.
I tried to create a new AD user directly on AD and it seems that the value CN in the DN separates the spaces with “/”
@s_tartaglione , It might be due to the policy set at AD level. You can check with AD team is that how policy is define if so then you need to modify the CN value from SailPoint as well.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.