Ping LDAP ou change

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi All,

We have requirement to move the ou for ping LDAP for which we have wriiten the below rule but the rule throws LDAP error 20 as value already present cannot create .Has anyone faces this issue before .

type<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="Ping LDAP Attribute Update" type="BeforeProvisioning">
  <Description>Describe your rule here.</Description>
  <Source><![CDATA[


  import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.tools.GeneralException;
import java.util.Date;
import sailpoint.tools.Util;
import java.util.List;
import java.util.ArrayList;
import java.time.LocalDate;
import java.text.SimpleDateFormat;



      /*
      *Method to disable account when user is inactive(any scenario like Leave of abscense etc, except termination)
      *@param adAcctRequest:  Ping AD AccountRequest
      *@return adAcctRequest: move the ou
      */
public AccountRequest disableAccount(AccountRequest adAcctRequest)
{
    log.info("Entering pingldap BeforeProvisioningRule: disableAccount method");
    Identity identity = plan.getIdentity();
	String newRdnValue = "cn=" + identity.getAttribute("lbusername"); // Example new RDN
    String newSuperiorValue = "ou=TermedUsers,ou=Vault,o=comp"; // Example new parent OU DN
    log.info("newrdn value: "+newRdnValue);
    if(null != identity){          
      AttributeRequest attrReqDisable1 = new AttributeRequest("newRDN", ProvisioningPlan.Operation.Set, newRdnValue);
	  AttributeRequest attrReqDisable2 = new AttributeRequest("newSuperior", ProvisioningPlan.Operation.Set, newSuperiorValue);
	  AttributeRequest attrReqDisable3 = new AttributeRequest("deleteOldRDN", ProvisioningPlan.Operation.Set, true);
      adAcctRequest.add(attrReqDisable1);
	  adAcctRequest.add(attrReqDisable2);
	  adAcctRequest.add(attrReqDisable3);
    }else{
      log.error("Identity is null in plan");
    }
    log.info("Exiting PingLDAP BeforeProvisioningRule: disableAccount method");
    return adAcctRequest;
}
  
      /*
      *Method to Enable AD account when user is back to work(any scenario like return to work etc)
      *@param adAcctRequest:  AD AccountRequest
      */
public AccountRequest enableAccount(AccountRequest adAcctRequest){
  log.info("Entering PingLDAP BeforeProvisioningRule: enableAccount method");
  Identity identity = plan.getIdentity();
  String newRdnValue = "cn=" + identity.getAttribute("samaccount"); // Example new RDN
   String newSuperiorValue = "ou=ActiveUsers,ou=sample,o=com"; // Example new parent OU DN
    log.info("newrdn value: "+newRdnValue);

  if(null != identity){          
   AttributeRequest attrReqEnable1 = new AttributeRequest("newRDN", ProvisioningPlan.Operation.Set, newRdnValue);
	  AttributeRequest attrReqEnable2 = new AttributeRequest("newSuperior", ProvisioningPlan.Operation.Set, newSuperiorValue);
	  AttributeRequest attrReqEnable3 = new AttributeRequest("deleteOldRDN", ProvisioningPlan.Operation.Set, true);
      adAcctRequest.add(attrReqEnable1);
	  adAcctRequest.add(attrReqEnable2);
	  adAcctRequest.add(attrReqEnable3);
  }else{
    log.error("Identity is null in plan");
  }
  log.info("Exiting  BeforeProvisioningRule: enableAccount method");
  return adAcctRequest;
}
  
  /*
        *Method to update AD account attribute accountExpires when user is terminated with the present date set as value for accountExpires
        *@param adAcctRequest:  AD AccountRequest
        *@return adAcctRequest: Updated AD AccountRequest with "accountExpires" AttributeRequest updated to current date value
        */

log.info("Entering Ping LDAP BeforeProvisioningRule");

public boolean isApprovedApp(String appName){

    log.info("entering isApprovedApp method");

    List adApps = new ArrayList();
    adApps.add("comp PingDirectory QA");

    boolean result = false;

    for (String adApp : adApps){
        if (appName.startsWith(adApp)) {result = true;}
    }

    log.info("exiting isApprovedApp method.  reult: " + result);

    return result;
}

//Check if plan is null
if(null != plan)
{
//Get identity from plan and get the termination date and lifeCycleState
  if(null != plan.getIdentity())
  {
    Identity identity = plan.getIdentity();
    AccountRequest adAcctRequest = null;
    List accRequests = plan.getAccountRequests();

    if (null != accRequests && !accRequests.isEmpty()) 
    {
      for (AccountRequest acctRequest : accRequests) 
      {
        String appName = acctRequest.getApplication();
        if (null != appName && (isApprovedApp(appName)))
        {
          adAcctRequest = new AccountRequest();
          adAcctRequest = acctRequest;

          if(null != adAcctRequest && null != adAcctRequest.getOperation())
          {
            if(Util.isNotNullOrEmpty((String)identity.getAttribute("cloudLifecycleState")))
            {
              String cloudLifecycleState = (String)identity.getAttribute("cloudLifecycleState");

              if("active".equalsIgnoreCase(cloudLifecycleState) && (adAcctRequest.getOperation()).equals(ProvisioningPlan.AccountRequest.Operation.Enable))
              {
                
                adAcctRequest = enableAccount(adAcctRequest);
                break;

              }
              else if("terminate".equalsIgnoreCase(cloudLifecycleState) && (adAcctRequest.getOperation()).equals(ProvisioningPlan.AccountRequest.Operation.Disable))
              {
                  
             //disable the account and move the OU
                adAcctRequest = disableAccount(adAcctRequest);
       

              }
              else if("delete".equalsIgnoreCase(cloudLifecycleState) && (adAcctRequest.getOperation()).equals(ProvisioningPlan.AccountRequest.Operation.Enable))
              {
                      
                //converting the accountRequest to Delete
                adAcctRequest.setOperation(AccountRequest.Operation.Delete);

              }
            }
            else
            {
              log.debug("lifeCycle status is null for identity: "+identity.getName());
            }
          }
          else
          {
            log.error("Account Request is null for Ping Ldap: "+identity.getName());
          }
        }
        log.info("PingLDAP_dev: appName " + appName + " is not in list of approved apps");
      }
    }
  }
  else
  {
    log.error("Identity is null");
  }
}
else
{
  log.error("provisioning plan is null for Ping LDAP");
}

log.info("Exiting Ping LDAP BeforeProvisioningRule");

  
]]></Source>
</Rule> or paste code here
2

Hello Shantanu,

Doesn’t look like there is any issue with the code logic.
Just that one point that you raised, you could try rearranging the attribute requests such that the one to clear out the attribute value - “deleteOldRDN“ comes before the other ones in the accountRequest. This executing at the target, clearing out the attribute value before setting a new value for “newRDN” might work.

Regards,
Ankit Sharma

3

@Ankit_PwC
Sure Ankit we will try to give that a shot thanks for your reply