"Create Account" for Active Directory is returning an error - "Required string attribute 'User' is not defined, it must have a valid value."

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

  • What have you tried?

    1. Create Account request for Active Directory and its failing.
    2. The source is healthy and both account and entitlement aggregation is completed successfully.

  • What errors did you face (share screenshots)?

    image
    image967×295 10 KB

  • Share the details of your efforts (code / search query, workflow json etc.)?

    image
    image808×613 65.4 KB

    image
    image646×279 43.7 KB

    image
    image721×256 41.6 KB

    1. The usernamegenerator transform is used for both distinguishedName and sAMaccountName attributes in the create account policy.
    2. When sourcecheck is “true” in the usernamegenerator transform, the Create Account request fails. If sourcecheck is mapped to “false”, the account gets provisioned successfully.
    3. On the create account page, I selected user as the objecttype, checked the schema, and confirmed that accountid and accountname are mapped to distinguishedName and samAccountName.
    4. Aggregation finished successfully, including entitlements, and the source is healthy.
    5. The usernamegenerator applies these patterns:
      “patterns”: [
      “CN=$fi$ln,$OU”,
      “CN=$fi$ln${uniqueCounter},$OU”
      ]
      $fi: first initial of firstname
      $ln: lastname
      $OU: based on the location value

    Example: CN=JDoe,OU=YOURCONTAINER,DC=YOURDOMAIN
    Note: TestOU was used instead of the specified OU in this example.
    6) I’ve validated the $fi$ln variables in a static transform and it produces the expected output

  • What is the result you are getting and what were you expecting?
    Error Message:
    An unexpected error occurred: sailpoint.thunderbolt.service.NotRetryableActionException: Unable to generate a unique value for ‘User5538’, action UniqueAccountIdValidator[nativeIdentity=UKiran,app=Active Directory - Conviva_New] is not retry-able due to InvalidConfigurationException: [ InvalidConfigurationException ]
    [ Error details ] Required string attribute ‘User’ is not defined.It must have a valid value.

    I’ve checked the configurations for Create Account and Source and didn’t find any issues, but I’m still getting an error.

2

Hi @Amoughvgowda ,

Based on this post : AD Account Provisioning Error - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

It seems like that only the accountID on the source (distingushedName attribute support the username generator) but not the sAMAccountName.

For sAMAccountName you can try :

3

You may modify the object type, and the value should be ‘User’ (with a capital ‘U’)

From the Create Account Section from Source…

image
image855×247 11.7 KB

Provisioning Log From Search..

image
image576×189 3.57 KB

4

Hi @baoussounda Thank you for your suggestion. I have a question about how to extract the samaccountname from the distinguishedname. I plan to keep the samaccountname below the DN in the create account policy configuration. Once the DN is generated, I’ll use that value, extract the CN part as a substring and store it as the samaccountname.

Is it possible to use the accountattribute transform type in the create account policy to obtain the distinguishedName?

Is there any other approach than this to extract the DN generated value and refer it in the create account policy for sAMAccountName?

5

Hi @Amoughvgowda I can’t recommend that approach as a CN may be unique in an OU, but not as a sAMAccountName. Best practice, is to use Create Unique LDAP Attribute generator for sAMAccountName see Default Provisioning Attributes Reference