IdentityNow - Active Directory - Setting AD account password in Create Account with transform

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi, I’m trying to set the first login password (with a password that complies with the domain password policy) in the create account directive related to the password attribute with the following transform (forcing the change password at next logon by also setting pwdLastSet=true)

{
            "name": "password",
            "transform": {
                "attributes": {
                    "costCenter": {
                        "attributes": {
                            "name": "identityAttribute1"
                        },
                        "type": "identityAttribute"
                    },
                    "identityType": {
                        "attributes": {
                            "name": "identityAttribute2"
                        },
                        "type": "identityAttribute"
                    },
                    "positionName": {
                        "attributes": {
                            "name": "identityAttribute3"
                        },
                        "type": "identityAttribute"
                    },
                    "value": "#if($identityAttribute2 == \"Something\"||$identityAttribute2== \"Something else\") blabla_$identityAttribute1 #else blablabla_$identityAttribute3 #end"
                },
                "type": "static"
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "secret",
            "isMultiValued": false
}

however, the passwords generated in this way turn out to be invalid if I try to access AD with an LDAP browser (error encountered: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c]).
If instead I set a static value (e.g. BcM3bxzSLSqcaKOMJ5bv) from the interface, I can access the account created via LDAP browser to AD with this value.
The password I try to generate with the transform seems to be unusable, while the one set statically and identical for all new accounts works, why? How can I resolve this? I need to use the logic indicated in the transform to generate the password.

Thanks in advance for your support.

Regards,
Paolo

2

in the “value”: you’ve placed undefined variables ‘$identityAttribute1’, ‘$identityAttribute2’ & ‘$identityAttribute3’, and have unused variables ‘costCentre’, ‘identityType’ & ‘positionName’.

Replace the ones in the “value”: with the ones you have defined

3

Suggestion would be first you create a transform with this logic and attach it to one of the identity attribute. Check if you are getting the designed value after replacing undefined variables as mentioned above.
I would also suggest to calculate another two variable with the values to return when if and else condition matches and use them in the value instead of directly returning blabla_$identityAttribute1 or blablabla_$identityAttribute3

4

Hello,
I suggest to try this transform first as an idenittyattribute, just to confirm that the password value is working correctly, it seems to be a semantic error.
Regards,
Pablo

5

Thanks, it solved :slight_smile: