Issues on Provisioning All Attributes to AD

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi.
We are having issues to provision all the attributes to Active Directory. The following are the warnings and errors we found from the search API (accountactivities).

“warnings”: [
“Account created but failed to modify : Failed to update attributes for identity “distinguishedName”. The requested operation did not satisfy one or more constraints associated with the class of the object.\n”
]

In the Account Requests, we notice the following warning and error:

“result”: {
“warnings”: [
“Account created but failed to modify : Failed to update attributes for identity “distinguishedName”. The requested operation did not satisfy one or more constraints associated with the class of the object.\n”
],
“errors”: [
“Account created but some attributes are not updated properly.”
],
“status”: “committed”
},

Please advise. Thank you!

2

Hi Jo,
Thank you for your post. This errors comes when we are trying to set value which are not permitted at AD side. For eg middleName which is Initials has a limit for the number of characters we can send.

Could you please check on the above ? Also are you populating manager in the AD in the correct format ?

Thanks

3 Likes
3

Hi @sjoyee , I believe the error is related to the character limit for one or more of the AD attributes that you are trying to provision while creating an AD account.

Refer AD documentation: All Attributes - Win32 apps | Microsoft Learn for character limit information and then compare it with your attribute values that you are sending from IDN to AD for the affected users. I think you will get the answer there.
Additionally, if you have pre-prod AD access, then you can try manually updating the attribute which you think might be causing the issue just to confirm.

All the best!

2 Likes
4

Hi Rakesh. Thank you for the input! The error is the number of characters passed in the AD attribute to be provisioned. It works when we remove this attribute.

However, this attribute is needed for us to retrieve and put as value in the static field.
For example, distinguishedName = $abc,$bcd, but $bcd (retrieved from identity attribute) is having exceeding characters. Is there any way for us to filter out $bcd to be provisioned to AD, or other way to create a pattern using a combination of attribute in the plan and identity attribute?

5

It seems that we found a way for doing this. Everything is working as expected now. Thank you!

AD After Create/Modify Values - IdentityNow (IDN) / Discussion and Questions - SailPoint Developer Community Forum

6

Great we also right the below for distinguish name if you want to see the pattern.

{
“attributes”: {
“cloudMaxSize”: “100”,
“cloudMaxUniqueChecks”: “5”,
“cloudRequired”: “true”
},
“isRequired”: false,
“multi”: false,
“name”: “distinguishedName”,
“transform”: {
“type”: “usernameGenerator”,
“attributes”: {
“sourceCheck”: true,
“patterns”: [
“CN=$fi$ln,$ou”,
“CN=$fn$ln,$ou”,
“CN=$fn$mi$ln,$ou”,
“CN=$fn$mi$ln${uniqueCounter},$ou”
],
“fn”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstNameLower”
}
},
“ln”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastNameLower”
}
},
“ou”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “ou”
}
},
“fi”: {
“type”: “substring”,
“attributes”: {
“input”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstNameLower”
}
},
“begin”: 0,
“end”: 1
}
},
“mi”: {
“type”: “substring”,
“attributes”: {
“input”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “middleNameLower”
}
},
“begin”: 0,
“end”: 1
}
}
}
}

}

2 Likes
7

Hi Rakesh,

Noted with this. It is a really useful information for us, thank you!

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.