Provisioning Active directory account (Account Creation) using a rule

Hello Community,

I am trying to create a user Account in active directory using a rule in IdentityIQ.
I identify a user by their name, in this case, “Test ADuser” and proceed to create a provisioning plan tailored to this user. This plan encompasses the specification of various attributes and their corresponding values for the new user account. I construct attributes like the Common Name (cn), Distinguished Name (dn), sAMAccountName, userPrincipalName (UPN), email (mail), password, first name, last name, and display name. Furthermore, I assign the user to a specific group (“memberOf”).

Here is a snippet of the code:

SailPointContext ctx = SailPointFactory.getCurrentContext();
       if ( ctx == null ) {
           throw new GeneralException("Unable to get sailpoint context.");
       }

String identityName = "Test.ADuser";
Identity identity = context.getObjectByName(Identity.class, identityName);

ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);

AccountRequest accReq = new AccountRequest();
accReq.setApplication("AD");

String firstName = identity.getAttribute("firstname");
String lastName = identity.getAttribute("lastname");
  
System.out.println("Debugging: firstName = " + firstName);
System.out.println("Debugging: lastName = " + lastName);
  
String displayName = identity.getAttribute("displayName");

accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Create);
List attrbReqList = new ArrayList();

AttributeRequest attrReqCN = new AttributeRequest("cn", Operation.Set, displayName);
attrbReqList.add(attrReqCN);

String dn = "CN=" + displayName + ",OU=users,OU=sailpoint_test,OU=chicken,DC=chicken,DC=local";
AttributeRequest attrReqDN = new AttributeRequest("distinguishedName", Operation.Set, dn);
attrbReqList.add(attrReqDN);

String sAMAccountName = firstName + "." + lastName;
System.out.println("Debugging: sAMAccountName = " + sAMAccountName);
AttributeRequest attrsAMA = new AttributeRequest("sAMAccountName", Operation.Set, sAMAccountName);
attrbReqList.add(attrsAMA);

When I run the rule, I don’t receive any Error on the Object browser. I checked the tomcat std.out logs and the provisioning plan was executed successfully despite message related to the “DistinguishedName” attribute, but no user account was created in Active Directory.

Here is the error in the log file:

Debugging: firstName = Testad
Debugging: lastName = Sailpoint
Debugging: DN = CN=Testad Sailpoint,OU=Users,OU=SailPoint_Test,OU=chicken,DC=chicken,DC=LOCAL
Debugging: sAMAccountName = Testad.Sailpoint
Debugging: upn = [email protected]
plan: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
  <AccountRequest application="AD" op="Create">
    <AttributeRequest name="cn" op="Set" value="Testad Sailpoint"/>
    <AttributeRequest name="distinguishedName" op="Set" value="CN=Testad Sailpoint,OU=Users,OU=SailPoint_Test,OU=chicken,DC=chicken,DC=LOCAL"/>
    <AttributeRequest name="sAMAccountName" op="Set" value="Testad.Sailpoint"/>
    <AttributeRequest name="userPrincipalName" op="Set" value="[email protected]"/>
    <AttributeRequest name="mail" op="Set" value="[email protected]"/>
    <AttributeRequest name="password" op="Set" value="Chicken@123"/>
    <AttributeRequest name="givenName" op="Set" value="Testad"/>
    <AttributeRequest name="sn" op="Set" value="Sailpoint"/>
    <AttributeRequest name="displayName" op="Set" value="Testad Sailpoint"/>
    <AttributeRequest name="memberOf" op="Add" value="CN=SailPoint_Test_gr,OU=SailPoint_Test,OU=chicken,DC=chicken,DC=LOCAL"/>
  </AccountRequest>
</ProvisioningPlan>

2023-10-19T15:55:51,947 ERROR QuartzScheduler_Worker-3 sailpoint.connector.RPCService:554 - Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : . HRESULT:[0x80131500]"
sailpoint.tools.GeneralException: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : . HRESULT:[0x80131500]"

I don’t see your provisoner code, however as per your log plan is looking good.

Can you cross check if test DN you generated in code is valid in your AD.

1 Like

It look there is a mismatch between distinguishedName as provided and the DistinguishedName from the error.
What if you do the same test with:

AttributeRequest attrReqDN = new AttributeRequest("DistinguishedName", Operation.Set, dn);

Capital D for 'DistinguishedName`.

– Remold

2 Likes

@Moben
What is the application level Native Identity, is that mapped correctly? Is it distinguishedName?
Also with this “CN=Testad Sailpoint,OU=Users,OU=SailPoint_Test,OU=chicken,DC=chicken,DC=LOCAL” are you able to create Account in AD directly to make sure you have the right DN and format?

2 Likes

I added the nativeIdentity attribute in the AccountRequest, and now the script is working as expected. Thank you guys for all the ideas.

accReq.setNativeIdentity(dn);

thats great.! yeah, we should set nativeIdentity also.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.