Error while generating unique distinguishedName for AD Provisioning in SailPoint ISC

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello All,
I have a requirement to select the OU for a user dynamically based on the employee type. My provisioning policy is as follows:

{
    "name": "Account",
    "description": null,
    "usageType": "CREATE",
    "fields": [
        {
            "name": "ObjectType",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "User"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "distinguishedName",
            "transform": {
                "attributes": {
                    "name": "Custom AD DN Generator"
                },
                "type": "reference"
            },
            "attributes": {
                "cloudMaxUniqueChecks": "50",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "usernameGenerator",
            "isMultiValued": false
        },
        {
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(firstname).$(lastname)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "displayName",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "displayName"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "manager",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Get Manager LDAP DN"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "mail",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "email"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "password",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Password"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "secret",
            "isMultiValued": false
        },
        {
            "name": "givenName",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "firstname"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "sn",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "lastname"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "pwdLastSet",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "false"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "IIQDisabled",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "false"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "primaryGroupDN",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": ""
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "description",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": ""
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "telephoneNumber",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "phone"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msNPAllowDialin",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "homeMDB",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "mailNickname",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "shadowAccountDN",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msExchHideFromAddressLists",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "SipAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "SipDomain",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "SipAddressType",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msNPCallingStationID",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msRADIUSCallbackNumber",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msRADIUSFramedRoute",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msRADIUSFramedIPAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "RegistrarPool",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "dNSHostName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msDS-SupportedEncryptionTypes",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msDS-ManagedPasswordInterval",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msDS-GroupMSAMembership",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msDS-AllowedToActOnBehalfOfOtherIdentity",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "servicePrincipalName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "externalEmailAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "userPrincipalName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "title",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "department",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "employeeID",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "company",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

The custom transform for the distinguished name is as follows:

{
  "name": "Custom AD DN Generator",
  "type": "usernameGenerator",
  "attributes": {
    "sourceCheck": true,
    "patterns": [
      "CN=$fn $ln,OU=$ou,OU=SOMEOU,DC=SOMEDC,DC=com"
    ],
    "fn": {
      "type": "identityAttribute",
      "attributes": {
        "name": "firstname"
      }
    },
    "ln": {
      "type": "identityAttribute",
      "attributes": {
        "name": "lastname"
      }
    },
	"ou": {
	"attributes": {
        "expression": "$empType eq Permanent",
        "positiveCondition": "EMPLOYEES",
        "negativeCondition": "CONSULTANTS",
        "empType": {
            "attributes": {
              "attributeName": "employeetype"
            },
            "type": "identityAttribute"
          }
        },
        "type": "conditional",
		"name": "Decide OU"
	  }
    }
}

But when I request for an access profile, I get the following error:

image
image806Ɨ372 14.1 KB

Kindly help since Iā€™m unable to figure out what this error actually is. I donā€™t see any missing ā€˜nameā€™ anywhere since while creating the transform at least, there was no error.

2

Hi,

Did you upload the transform ā€œCustom AD DN Generatorā€ into tenant and referring it from there?

I dont think it will work like that. You need to include it in the create profile only.

Also dont use conditional transform, Instead use velocity script.

Let me know if it works.

-Abhinov

3

@pmaruwada try not using a reference transform instead use the account generator transform in the provisioning policy itself

4

Hi @pmaruwada I suspect that message is being generated because you donā€™t appear to be mapping the CommonName attribute.

5

Now my provisioning policy is as follows (used velocity script & put the transform directly into the policy without referencing):

{
    "name": "Account",
    "description": null,
    "usageType": "CREATE",
    "fields": [
        {
            "name": "ObjectType",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "User"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "distinguishedName",
            "transform": {
                "type": "usernameGenerator",
                "attributes": {
                    "sourceCheck": true,
                    "patterns": [
                        "CN=$fn $ln,OU=$ou,OU=SOMEOU,DC=SOMEDC,DC=com"
                    ],
                    "fn": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "firstname"
                        }
                    },
                    "ln": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "lastname"
                        }
                    },
                    "ou": {
                        "attributes": {
                            "empType": {
                                "attributes": {
                                    "name": "employeetype"
                                },
                                "type": "identityAttribute"
                            },
                            "value": "#if($empType==Permanent)EMPLOYEES#{else}CONSULTANTS#end"
                        },
                           "type": "static"
                    }
                }
            },
            "attributes": {
                "cloudMaxUniqueChecks": "50",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(firstname).$(lastname)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "displayName",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "displayName"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "manager",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Get Manager LDAP DN"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "mail",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "email"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "password",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Password"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "secret",
            "isMultiValued": false
        },
        {
            "name": "givenName",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "firstname"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "sn",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "lastname"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "pwdLastSet",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "false"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "IIQDisabled",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "false"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "primaryGroupDN",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": ""
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "description",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": ""
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "telephoneNumber",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "phone"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msNPAllowDialin",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "homeMDB",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "mailNickname",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "shadowAccountDN",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msExchHideFromAddressLists",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "SipAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "SipDomain",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "SipAddressType",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msNPCallingStationID",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msRADIUSCallbackNumber",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msRADIUSFramedRoute",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msRADIUSFramedIPAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "RegistrarPool",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "dNSHostName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msDS-SupportedEncryptionTypes",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msDS-ManagedPasswordInterval",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msDS-GroupMSAMembership",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "msDS-AllowedToActOnBehalfOfOtherIdentity",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "servicePrincipalName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
        {
            "name": "externalEmailAddress",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "userPrincipalName",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "title",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "department",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "employeeID",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "company",
            "transform": null,
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

Iā€™m now getting a null error:

image
image805Ɨ458 13.3 KB

6

I now have added it to the mappings as follows:

image
image1100Ɨ703 35.1 KB

Iā€™m still getting the same error.

7

Something else to check - you only appear to have provided one pattern for generating a unique value, but you havent included a uniqueCounter in that pattern. So youā€™re asking ISC to generate a unique value but not given it any options. Try

CN=$fn $ln{uniqueCounter},OU=$ou,OU=SOMEOU,DC=SOMEDC,DC=com
8

Also, try including

cloudMaxSize

in the transform attribute. See Username Generator | SailPoint Developer Community

9

Lots of very good suggestions, and also, you might be missing some quote marks:

try this instead:

"value": "#if($empType == 'Permanent')EMPLOYEES#{else}CONSULTANTS#end"
10

this removed the null error, thank you so much!

2 Likes
11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.