Getting error during create account for AD

Hi Team,

I’m getting error during creation of AD account. There are different OUs in AD, and account object needs to be created basis on a city-OU mapping given. I am using lookup transform on primaryGroupDN accnt attribute to derive the OU. Then using generator “Create Unique Account ID” & pattern “CN=$(lastname)\, $(firstname)$(uniqueCounter),$(primaryGroupDN)” to derive the final DN value.

Error :

An unexpected error occurred: The application script threw an exception: java.lang.RuntimeException: java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:UniqueAccountIdValidator: Calling getObject for objectType 'account' using id 'CN=Erickson\, Christopher,' and options '{cloudConfigOverrides={aggregateTimeout=30, disablePooling=true, timeout=30}}' on source 'AD FHR Test [source]'. Exception: sailpoint.connector.ConnectorException: [ InvalidConfigurationException ] 
 [ Error details ] Required string attribute 'User' is not defined.It must have a valid value. BSF info: Create Unique Account ID at line: 0 column: columnNo

Custom transform to calculate the primaryGroupDN is :

{
            "name": "primaryGroupDN",
            "transform": {
                "attributes": {
                    "input": {
                        "attributes": {
                            "name": "city"
                        },
                        "type": "identityAttribute"
                    },
                    "table": {
                        "Wichita": "OU=Users,OU=Accounts,OU=XX22,DC=ad,,DC=net",
                        "default": "OU=Human Users,DC=ad,,DC=net",
                        "Rosemount": "OU=Users,OU=Accounts,OU=XX,DC=ad,,DC=net"
                    }
                },
                "type": "lookup"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

Just to avoid any generic issue which might have been overlooked have you tried creating an account in a static OU for the time being and then perform the lookup transofrm based OU calculation?

Yes, with static OU it is working

And you are setting the objectClass in the provisioning policy because it does point to a specific attribute calling it User in the error log that you have shared.

Because I think you have to declare the objectClass when AD account is being created quoted below:

Mandatory AD user object attributes

Every object has a set of mandatory and optional attributes. The values for the mandatory attributes are required for the successful creation of the object, and cannot be empty. For example, the mandatory attributes for a user object are:

• cn: The distinguished name of the user object that is used to uniquely identify this object in the AD network
• ObjectCategory: This is a single value property that contains the distinguished name of either the object class this user object belongs to, or the distinguished name of one of its superclasses.
• Objectclass: The distinguished name of the object class that this user object belongs to.
• sAMAccountName: The pre-Windows 2000 logon name of the object. This is a naming attribute that is also used to identify this user object in the network uniquely.

I think unique counter might be a problem

This is what documentation say about it.

I do have the “User” object in the create provisioning policy.

"name": "Account",
    "description": null,
    "usageType": "CREATE",
    "fields": [
        {
            "name": "ObjectType",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "User"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

Moved the DN mapping to uniqueCounter pattern to the end. Still same error.

I aee counter still not on the end, I’d suggest to generate cn first with generator and counter on the end and then add the dn part

Try something like that

{
  "attributes": {
    "cloudMaxSize": "200",
    "cloudMaxUniqueChecks": "10", 
    "cloudRequired": "true"
  },
  "isRequired": false,
  "multi": false,
  "name": "distinguishedName",
  "transform": {
    "type": "usernameGenerator",
    "attributes": {
      "sourceCheck": true,
      "patterns": [
        "CN=$fn $ln,OU=$ou,DC=example,DC=com",
        "CN=$fn.$mi $ln${uniqueCounter},OU=$ou,DC=example,DC=com"
      ],
      "fn": {
        "type": "identityAttribute",
        "attributes": {
          "name": "firstname"
        }
      },
      "ln": {
        "type": "identityAttribute",
        "attributes": {
          "name": "lastname"
        }
      },
      "mi": {
        "type": "substring",
        "attributes": {
          "input": {
            "type": "identityAttribute",
            "attributes": {
              "name": "middlename"
            }
          },
          "begin": 0,
          "end": 1
        }
      },
      "ou": {
        "type": "lookup",
        "attributes": {
          "table": {
            "New York": "NY",
            "Los Angeles": "CA", 
            "Chicago": "IL",
            "Houston": "TX",
            "default": "Other"
          },
          "input": {
            "type": "accountAttribute",
            "attributes": {
              "attributeName": "city",
              "sourceName": "Source Name"
            }
          }
        }
      }
    }
  },
  "type": ""
}

It’s just a sample from my notes but should be helpfull i hope.

Hi @bhuvi_kpmg,

I think you are confused with the Create Account ID generator and the Username generator transform.

For the Username Generator transform you are trying, below is the related document.

Here is the transform you should use inside your create account profile :

        {
            "name": "distinguishedName",
            "transform": {
                "type": "usernameGenerator",
                "attributes": {
                    "sourceCheck": true,
                    "patterns": [
                        "CN=$lastname\\, $firstname${uniqueCounter},$primaryGroupDN"
                    ],
                    "firstname": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "firstname"
                        }
                    },
                    "lastname": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "lastname"
                        }
                    },
                    "primaryGroupDN": {
                        "type": "lookup",
                        "attributes": {
                            "input": {
                                "attributes": {
                                    "name": "city"
                                },
                                "type": "identityAttribute"
                            },
                            "table": {
                        "Wichita": "OU=Users,OU=Accounts,OU=XX22,DC=ad,,DC=net",
                        "default": "OU=Human Users,DC=ad,,DC=net",
                        "Rosemount": "OU=Users,OU=Accounts,OU=XX,DC=ad,,DC=net"
                            }
                        }
                    }
                }
            },
            "attributes": {
                "cloudMaxUniqueChecks": "5",
                "cloudMaxSize": "100",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "",
            "isMultiValued": false
        }

You don’t need to select any pattern in the UI, after updating the Account profile, the UI would show up like this :

Try it out and let me know how it goes.

This worked, thank a lot Joseph.