Problem with aggregation in my creation access in Activity Director

guilherme_sec · June 4, 2025, 1:50am

When finishing the aggregation of my identities, it has to receive access to AD, but the message in the print appears
trackingId: 635e0ec9fa004d5390d4ec69d2d8099a java.lang.RuntimeException: sailpoint.tools.GeneralException: The application script threw an exception: java.lang.IllegalStateException: Unable to generate a unique value for Source[AD - GDS - Guilherme Gomes [source]] Field [sAMAccountName] after 50 retries. BSF info: Create Unique LDAP Attribute at line: 0 column: columnNo

to receive access to AD, the identity must have a lifecycle equal to active

Has anyone had this problem?

pattabhi · June 4, 2025, 2:12am

Hi @guilherme_sec

Please share your rule code which is used to generate unique sAMAccountName and provision code logic.

Configuration of the source “AD - GDS - Guilherme Gomes” try to provide as much info as you can.

guilherme_sec · June 4, 2025, 12:54pm

{
“name”: “Account”,
“description”: null,
“usageType”: “CREATE”,
“fields”: [
{
“name”: “ObjectType”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “User”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “distinguishedName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “CN=$(displayName)$(uniqueCounter),OU=usuarios,DC=teste,DC=local”,
“cloudMaxUniqueChecks”: “50”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sAMAccountName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname) $(middleName) $(lastname)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “displayName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “displayName”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “manager”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Get Manager LDAP DN”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mail”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname).$(lastname)@sec4you.lab”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “password”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Password”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “secret”,
“isMultiValued”: false
},
{
“name”: “givenName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sn”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “pwdLastSet”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “false”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “IIQDisabled”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “false”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “primaryGroupDN”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “description”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “telephoneNumber”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “phone”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPAllowDialin”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “homeMDB”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mailNickname”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “shadowAccountDN”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msExchHideFromAddressLists”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “SipAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipDomain”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipAddressType”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPCallingStationID”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSCallbackNumber”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msRADIUSFramedRoute”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSFramedIPAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “RegistrarPool”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “dNSHostName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-SupportedEncryptionTypes”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-ManagedPasswordInterval”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-GroupMSAMembership”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-AllowedToActOnBehalfOfOtherIdentity”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “servicePrincipalName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “externalEmailAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “userPrincipalName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “title”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(jobTitle)”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “department”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “employeeID”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “company”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “GDS TI”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
}
]
}

pattabhi · June 4, 2025, 1:04pm

Your original problematic JSON:

{
“name”: “Account”,
“description”: null,
“usageType”: “CREATE”,
“fields”: [
{
“name”: “ObjectType”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “User”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “distinguishedName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “CN=$(displayName)$(uniqueCounter),OU=usuarios,DC=teste,DC=local”,
“cloudMaxUniqueChecks”: “50”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sAMAccountName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname) $(middleName) $(lastname)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “displayName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “displayName”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “manager”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Get Manager LDAP DN”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mail”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname).$(lastname)@sec4you.lab”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “password”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Password”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “secret”,
“isMultiValued”: false
},
{
“name”: “givenName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sn”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “pwdLastSet”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “false”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “IIQDisabled”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “false”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “primaryGroupDN”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “description”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “telephoneNumber”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “phone”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPAllowDialin”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “homeMDB”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mailNickname”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “shadowAccountDN”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msExchHideFromAddressLists”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “SipAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipDomain”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipAddressType”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPCallingStationID”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSCallbackNumber”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msRADIUSFramedRoute”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSFramedIPAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “RegistrarPool”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “dNSHostName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-SupportedEncryptionTypes”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-ManagedPasswordInterval”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-GroupMSAMembership”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-AllowedToActOnBehalfOfOtherIdentity”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “servicePrincipalName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “externalEmailAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “userPrincipalName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “title”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(jobTitle)”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “department”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “employeeID”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “company”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “GDS TI”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
}
]
}

problematic section: Spaces in sAMAccountName Template: Your template “template”: “$(firstname) $(middleName) $(lastname)” will produce sAMAccountName values with spaces.

{
  “name”: “sAMAccountName”,
  “transform”: {
    “type”: “rule”,
    “attributes”: {
      “name”: “Create Unique LDAP Attribute”
    }
  },
  “attributes”: {
    “template”: “$(firstname) $(middleName) $(lastname)”,
    “cloudMaxUniqueChecks”: “50”,
    “cloudMaxSize”: “20”,
    “cloudRequired”: “true”
  },
  “isRequired”: false,
  “type”: “string”,
  “isMultiValued”: false
}

jesvin90 · June 4, 2025, 2:23pm

Hi @guilherme_sec,

Looks like you have missed to add the unique counter in the samAccount template.

Try something like this and see if it works :

"template": "$(firstname)$(middleName)$(lastname)$(uniqueCounter)"

guilherme_sec · June 5, 2025, 11:59pm

Hello

I managed to finish here, thank you.