Get Manager LDAP DN error

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi! I am having an intermitent error when updating some identity manager (both identiy and its manager have account on AD). I just created an update provisioning policiy. This works fine in several clients. But I am working in an envoronment where it fails for almost all identities (I could not identify differences between identities that works and identities that throws error).

Message found on log is:

Error(s) reporter back from IQService: failed to update attributes for identity CN=XXXX. The specified directory service attribute or value already exists.

Account has granular permission, as they do not have a hml environment for sandbox, they created an ou and gave us a service user that has (theorically) full permission, only in this Base OU.

Any comment will be appreciated!

2

Hi @jsosa ,

This issue would occur when you try to create or update accounts with non-unique values of email, samaccount, SMTP etc. In your case it’s a identity manager.

Could you please check whether in your update provisioning policy are you also trying to update any other attributes than manager. Mostly it would be because of the setting up the duplicate the values eg. email, upn .

Thanks,
Prashant

1 Like
3

Hi Prashant, provisioning policy only has the manager rule:

{
    "name": "Account Update",
    "description": null,
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "manager",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Get Manager LDAP DN"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

Strange that it is working for at least a 50% of identities. I would like to collect some evidence I already can not, but I guess that it could be some permissions issue with service user.

4

Hi @jsosa ,

So in that case issue might be with the service account permission. But as it’s working for some identities, I would request you to check the IIQ trace for the failure ones.

So IIQ service make an LDAP connection with the DC servers, kindly check if you can see whether when it’s trying to modify the identity manager what exactly an error is coming during the transaction.

I hope this might help to figure out the root cause.

Thanks,
Prashant

5

Hi @jsosa -

In general - this error arises when a user or a system process attempts to modify attributes of an object in the directory service, such as Active Directory, and one or more of the modified attributes already exist.

In terms of ISC, You attached the update provisioning policy to update the user’s manager details in AD whenever the user manager is getting updated in IDN.
Could you enable the IQService log to debug level to see what data is being passed for this attribute to cross verify if the new value for manager is being sent to the AD.

6

I would suggest creating DN and Manager DN identity attributes. Manager DN can use a reference transform to look up the manager’s DN value. That way, you can set manager on the Provisioning Policy to an identity attribute and sync it in the future if the manager changes.

7

Hi @jsosa,

I found this article here : Active Directory: Attribute Sync for the Manager Attribute - Identity Security Cloud (ISC) / ISC Show and Tell - SailPoint Developer Community that use for one of my customer.

And i think it’s very simple to for manager DN synchronisation.

8

Hi, I could get a solution for me. In my case, it was a permissions issue. Tried with a domain operator showed connector worked fine.

1 Like
9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.