Unable to generate samAccountName via AttributeGenerator Rule

rajeshs · August 1, 2023, 11:47am

I have written the below AttributeGenerator Rule to create samAccountName during AD account provisioning. I dont see the attribute getting generated. What could be the issue?

	public String generateUsername(String fName, String lName, String mI) {
    	String samAccName = "";
		String modSamAccName = "";
        	
			if((mI == null) || "".equals(mI))
				mI = "x";
				
	if((fName == null) || (lName == null)){ 
	
		return null;
		}
		
	else if((fName != null) && (lName != null)){	
	
		  if(lName.length()>=6)
			samAccName = (fName.substring(0,1)+mI.substring(0,1)+lName.substring(0,6)).toLowerCase();
		  else
			samAccName = (fName.substring(0,1)+mI.substring(0,1)+lName.substring(0,lName.length())).toLowerCase();		
		}
		samAccName = samAccName.replaceAll("[^a-zA-Z0-9]", "");
		modSamAccName = samAccName;
		
		for(int i=2;modSamAccName !="" && modSamAccName != null;i++)
		{
			boolean samAccExistsAD = false;
		
			samAccExistsAD = isUniqueInAD(modSamAccName);
			
			if(!samAccExistsAD)
			 break;		
			else
			{
				modSamAccName = samAccName;
				if(modSamAccName.length() == 8)
				{
					modSamAccName = samAccName.substring(0,7)+ i ;					
				}
				if(modSamAccName.length() < 8)
				{	
					modSamAccName = samAccName.substring(0,samAccName.length())+ i ;					
				}				
			}
		}
		
		return modSamAccName;
	}
		
		

	
    //Check Active Directory for uniqueness
	public boolean isUniqueInAD ( String samAccName) {
      
      if( samAccName != null ) {
        LDAPConnectorService ldap = ServiceModule.getService( LDAPConnectorService.class );
        String generated = null;
        Field field = new Field();
        field.setName( "sAMAccountName" );
        field.setAttribute( "template", samAccName );
        field.setAttribute( "cloudToUpperCase", false );
        field.setType( "String" );
        field.setAttribute( "cloudMaxUniqueChecks", 1 );
        try {
        generated = ldap.generateUniqueLDAPAttribute( context, application, identity, field, null );
		}
		catch(Exception e) {
		// Account found, need to generate second attempt
		}
    
        //if generation failed or a new sAMAccountName string was created via uniqueness counter, return false
        if( generated == null ) {
          return false;
        } else if ( !generated.equals( samAccName ) ) {
          return false;
        } else {
          return true;
        }
      } else {
        return false;
      }
    } 
	
    String fName=identity.getFirstname();
    String lName=identity.getLastname();
	String mI=(String)identity.getAttribute("middleInitial");
 	

    return generateUsername(fName, lName, mI);

iamnithesh · August 1, 2023, 12:33pm

Can you look at the following part…

modSamAccName = samAccName;
for(int i=2;modSamAccName !="" && modSamAccName != null;i++){
   ............
}

Would the loop ending condition ever be true?

Also, does this comparison work in Java?
modSamAccName != ""

sharvari · August 1, 2023, 12:44pm

Did you get any particular error?

dheerajk27 · August 1, 2023, 2:14pm

This block is giving me result, not sure about

this block as i am not able to create connection with LDAP.

What is the error you are getting?

rajeshs · August 1, 2023, 2:23pm

Yes the loop condition is returning true value.

rajeshs · August 1, 2023, 2:29pm

I don’t see any error on the UI (Identity’s Activity Tab) .

If I pass a static value for saMAccountName in “Create Account” I can see that AD account getting created for the user.

I don’t have access to the CCG logs.
Can you let me know the best practice to test this rule in IdentityNow ?

dheerajk27 · August 2, 2023, 1:49am

HI Rajesh,

Please check if this helps:

https://developer.sailpoint.com/idn/docs/rules/

sharvari · August 2, 2023, 9:20am

I usually test my code locally first by hard coding the identity attributes and having the isUnique function return a true/false randomly to test all the possible combinations. This helps ensure the basic java code for generating a unique id is working. While deploying it mostly what changes is the isUnique function.

I haven’t used the generateUniqueLDAPAttribute function but i’ve used countIdentitiesBySearchableIdentityAttribute Or
attrSearchCountAccounts from IDNRuleUtil class within the isUnique function to verify attribute uniqueness.

You can check their usage here: Using IDNRuleUtil as a Wrapper for Common Rule Operations - Compass

Try to avoid null checks directly, instead try to use StringUtils.isNotBlank(“attr”) or just initialize your variable to some static text and use accordingly. In catch block you can set generated = “failed” and then use that for evaluation instead of relying on null.

rajeshs · August 12, 2023, 6:07pm

Hi Everyone,
Thank you for your response. I was able to rewrite the code logic and was able to fix the issue.

dheerajk27 · August 13, 2023, 8:59am

Hi @rajeshs ,

Good to know that you have been able to resolve this issue, please fill free to close this topic.

system · October 12, 2023, 9:00am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
UserName Generator Issue ISC Discussion and Questions identity-security-cloud	3	554	April 13, 2024
Unable to generate incremental samAccountName in AttributeGenerator Rule ISC Discussion and Questions identity-security-cloud , provisioning , attributes	6	609	May 7, 2024
sAMAccount Attribute Generator rule ISC Discussion and Questions rules , identity-security-cloud , provisioning	7	65	October 31, 2025
sAMAccountName Generator ISC Discussion and Questions	15	4560	July 19, 2023
Unable to generate incremental samAccountName in AttributeGenerator Rule ISC Discussion and Questions rules , identity-security-cloud , provisioning , connectors	9	526	June 9, 2024

Unable to generate samAccountName via AttributeGenerator Rule

Related topics