Runtime Exception for Role - unable to find attribute memberOf in 'account' schema for application Active Directory Direct

Hello,

We use IIQ 8.4 p1. I have started noticing below error recently.
Entitlements (AD group name) in the IT role is good. Can you advise what causing this issue.

java.lang.RuntimeException: For role ‘Active Directory Direct@general_user’ profile, unable to find attribute memberOf in ‘account’ schema for application Active Directory Direct
at sailpoint.service.bundle.BundleProfileRelationUtil.copyManagedAttributeFields(BundleProfileRelationUtil.java:274)
at sailpoint.service.bundle.BundleProfileRelationUtil.addDirectProfile(BundleProfileRelationUtil.java:219)
at sailpoint.service.bundle.BundleProfileRelationUtil.addDirectProfiles(BundleProfileRelationUtil.java:188)
at sailpoint.service.bundle.BundleProfileRelationUtil.populateRelations(BundleProfileRelationUtil.java:124)
at sailpoint.service.bundle.BundleProfileRelationUtil.addRequiredRoles(BundleProfileRelationUtil.java:159)
at sailpoint.service.bundle.BundleProfileRelationUtil.populateRelations(BundleProfileRelationUtil.java:126)
at sailpoint.service.bundle.BundleProfileRelationUtil.getBundleRelations(BundleProfileRelationUtil.java:86)
at sailpoint.service.bundle.BundleProfileRelationUtil.getRelatedBundleRelationsIds(BundleProfileRelationUtil.java:604)
at sailpoint.service.bundle.BundleProfileRelationUtil.lambda$getRelatedBundleProfiles$2(BundleProfileRelationUtil.java:476)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at sailpoint.service.bundle.BundleProfileRelationUtil.getRelatedBundleProfiles(BundleProfileRelationUtil.java:471)
at sailpoint.service.bundle.BundleProfileRelationUtil.preProcessBundleProfileRelationsForRebuild(BundleProfileRelationUtil.java:447)

check the applicationschema to see if this attribute, memberOf is present or not.

hello Sunny.

memberOf attribute is present in the schema already. I did check DN in the IT role entitlement and that is also correct.

Hi @ramthetribo,

Is this issue also reproducible if you create a new IT roles with AD entitlements?

Thanks,
Pallavi

Hi @ramthetribo,
Please check the attribute name is correctly spelled and matches the case exactly as defined in the schema. Attribute names are case-sensitive, and any mismatch can cause the issues.

Thank you!

Yes, It happens with new IT roles too.

Hi Abhishek,

Yes, names and case sensitivity are same.

Hi @ramthetribo ,

Could you share the application and role XML files?
How are you creating the role—through the UI or the debug page?

And how about request based access provisioning? In that case is memberOf attribute is getting updated with the newly added group details? If that piece is working then some issue with the role definition.

Thanks,
Pallavi

Hello Pallavi, Access requests are working fine. IIQ is adding users to AD groups as defined in the IT role

Hey @ramthetribo , Is this issue resolved. We’re facing similar issue for a few IT roles in 8.4p1, the error is only coming for roles that are having a proxy applications (Cloud Gateway) to connect to the actual Active Directory.
Appreciate all inputs, Thanks!

No, its not resolved yet. Errors still show up even though all works fine as expected.

Any update on this anyone ?
Did you raise a ticket with SailPoint team ?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.