Generate sAMAccountName not populated in the AD attributes DN and CN

pkumar22 · April 4, 2024, 1:56pm

Hi

We have a rule to generate the sAMAccountName, which is working fine. However, the generated sAMAccountName needs to populate in DN, CN, and displayname, and I gave in the create profile ($sAMAccountName), and it is populated only displayname,

but cn I can see below screenshot it is populated, but it is not replicated on the AD side, it just populated lastname,firstname without sAMAccountName, and in the dn is directly populated ($sAMAccountName) as shown in the below screenshot.

Any idea why it is not populated for CN and DN?

Thanks.

jesvin90 · April 4, 2024, 2:02pm

Hi @pkumar22,

In the Create Account Profile, is your sAMAccountName placed above the DN attribute.?

If not, try keeping the highest priority for sAMAccountName and retry.

pkumar22 · April 4, 2024, 2:45pm

I forgot to mention in my post that I did move. The first place is sAMAccountName, the fifth place is DN, and the last place is CN.

still the same issue.

jesvin90 · April 4, 2024, 3:26pm

Hi @pkumar22,

How are you defining the distinguishedName in the create profile.?

Try doing a concat as below. This works for me in my tenant.

{
            "name": "distinguishedName",
            "transform": {
                "type": "concat",
                "attributes": {
                    "values": [
                        "CN=",
                        {
                            "attributes": {
                                "name": "cn"
                            },
                            "type": "identityAttribute"
                        },
                        "(",
                        {
                            "attributes": {
                                "value": "$sAMAccountName"
                            },
                            "type": "static"
                        },
                        ")",
                        ",",
                        {
                            "attributes": {
                                "name": "adOu"
                            },
                            "type": "identityAttribute"
                        }
                    ]
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

pkumar22 · April 4, 2024, 5:01pm

I tried, and I can see it is generated CN=Workflowb,Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt, but it failed to provision: An invalid dn syntax has been specified.*

Failed to connect to the server for **Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt:An invalid dn syntax has been specified.** An invalid dn syntax has been specified. 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of: 'Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt' 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of: 'Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt' . HRESULT:[0x80072032]Failed to connect to the server for Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt:An invalid dn syntax has been specified. An invalid dn syntax has been specified. 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of: 'Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt' 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of: 'Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt' . HRESULT:[0x80072032]

jesvin90 · April 4, 2024, 6:15pm

Hi @pkumar22,

Looks like AD is not accepting the DN format. Is it the \, that is missing.?

CN=Workflowb\,Testflowb (workflte5),OU=ADTest,OU=Users and Groups,DC=xxx,DC=ad,DC=pvt

Else, try creating an account manually in AD with the same format and see if it throws similar error.

pkumar22 · April 5, 2024, 1:49am

this worked

{
	"name": "distinguishedName",
	"transform": {
		"attributes": {
			"values": [
				"CN=",
				{
					"attributes": {
						"name": "lastname"
					},
					"type": "identityAttribute"
				},
				"\\,",
				{
					"attributes": {
						"name": "firstname"
					},
					"type": "identityAttribute"
				},
				" (",
				{
					"attributes": {
						"value": "$sAMAccountName"
					},
					"type": "static"
				},
				")",
				",",
				{
					"attributes": {
						"name": "adOu"
					},
					"type": "identityAttribute"
				}
			]
		},
		"type": "concat"
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

system · June 4, 2024, 1:50am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to generate samAccountName via AttributeGenerator Rule ISC Discussion and Questions rules , identity-security-cloud , attributes	10	678	October 12, 2023
AD display name in entitlements, DN vs CN/sAMAccountName? ISC Discussion and Questions aggregation , identity-security-cloud	5	226	June 16, 2024
AD sAMAccountName Generator Rule ISC Discussion and Questions rules , identity-security-cloud , provisioning	7	95	November 1, 2024
Username Generator Transform on Multiple Attributes ISC Discussion and Questions transforms , rules , identity-security-cloud , provisioning	3	61	November 7, 2024
Active Directory Unique samAccountName ISC Discussion and Questions identity-security-cloud , provisioning	2	312	February 19, 2024

Generate sAMAccountName not populated in the AD attributes DN and CN

Related topics