I’m getting error during creation of AD account. There are different OUs in AD, and account object needs to be created basis on a city-OU mapping given. I am using lookup transform on primaryGroupDN accnt attribute to derive the OU. Then using generator “Create Unique Account ID” & pattern “CN=$(lastname)\, $(firstname)$(uniqueCounter),$(primaryGroupDN)” to derive the final DN value.
Error :
An unexpected error occurred: The application script threw an exception: java.lang.RuntimeException: java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:UniqueAccountIdValidator: Calling getObject for objectType 'account' using id 'CN=Erickson\, Christopher,' and options '{cloudConfigOverrides={aggregateTimeout=30, disablePooling=true, timeout=30}}' on source 'AD FHR Test [source]'. Exception: sailpoint.connector.ConnectorException: [ InvalidConfigurationException ]
[ Error details ] Required string attribute 'User' is not defined.It must have a valid value. BSF info: Create Unique Account ID at line: 0 column: columnNo
Custom transform to calculate the primaryGroupDN is :
Just to avoid any generic issue which might have been overlooked have you tried creating an account in a static OU for the time being and then perform the lookup transofrm based OU calculation?
And you are setting the objectClass in the provisioning policy because it does point to a specific attribute calling it User in the error log that you have shared.
Because I think you have to declare the objectClass when AD account is being created quoted below:
Mandatory AD user object attributes
Every object has a set of mandatory and optional attributes. The values for the mandatory attributes are required for the successful creation of the object, and cannot be empty. For example, the mandatory attributes for a user object are:
cn: The distinguished name of the user object that is used to uniquely identify this object in the AD network
ObjectCategory: This is a single value property that contains the distinguished name of either the object class this user object belongs to, or the distinguished name of one of its superclasses.
Objectclass: The distinguished name of the object class that this user object belongs to.
sAMAccountName: The pre-Windows 2000 logon name of the object. This is a naming attribute that is also used to identify this user object in the network uniquely.