User Account Creation Issue in AD


Hi,


Issue Summary : The CN of a User account created in AD from IDM side is
getting renamed while SamAccountName remains unchanged.

For eg : User CN in IDM -> admFirstName.LastName
User CN in AD -> FirstName LastName
SamAccountName in AD -> admFirstName.LastName

Key points
- The user is created by using workflow and some default roles assigned
at the time of creation
- The user is created with correct naming convention initially both in
IDM and AD.
- After some time, with a modify event from AD driver the user CN at AD
system gets renamed. The AD Logs snippet shows as below:

[05/10/16 02:55:43.172]:AD ST:Submitting document to subscriber shim:
[05/10/16 02:55:43.173]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.5">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user" event-id="Active Directory
Driver##15499732cd1##0" from-merge="true"
qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<modify-attr attr-name="dirxml-uACAccountDisable">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="memberOf">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="nrfMemberOf">
<remove-all-values/>
<add-value>
<value timestamp="1462863213#67"
type="dn">\yyy\1022-ROL-PPRVACT-PRD</value>
<value timestamp="1462863214#3"
type="dn">\yyy\1012_ROL_GlobApp_PRD</value>
</add-value>
</modify-attr>
<modify-attr attr-name="displayName">
<remove-all-values/>
<add-value>
<value timestamp="1462863213#42" type="string">Snow01
White01</value>
</add-value>
</modify-attr>
</modify>
<modify-password class-name="user" event-id="pwd-subscribe"
qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<password><!-- content suppressed --></password>
<operation-data>
<password-subscribe-status>
<association>e1d77789b87b794ca4274327d57a3cbc</association>
</password-subscribe-status>
</operation-data>
</modify-password>
<rename class-name="user" event-id="Active Directory
Driver##15499732cd1##0" qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<new-name>Snow01 White01</new-name>
</rename>
</input>
</nds>



Can someone help me to identify the cause for this and handle such case?


Thanks in advance!


--
neha_gupta
------------------------------------------------------------------------
neha_gupta's Profile: https://forums.netiq.com/member.php?userid=1249
View this thread: https://forums.netiq.com/showthread.php?t=55839

  • neha gupta wrote:

    >
    >
    > Issue Summary : The CN of a User account created in AD from IDM side
    > is getting renamed while SamAccountName remains unchanged.
    >
    > For eg : User CN in IDM -> admFirstName.LastName
    > User CN in AD -> FirstName LastName
    > SamAccountName in AD -> admFirstName.LastName
    >


    I would strongly suggest that you don't allow dynamic change of the
    SamAccountName after creation. It can be done, but it is unfortunatley
    relatively common that badly written applications cache SamAccountName
    (rather than objectSID or objectGUID) and break when the SamAccountName
    is changed on a user.

    > Key points
    > - The user is created by using workflow and some default roles
    > assigned at the time of creation
    > - The user is created with correct naming convention initially both in
    > IDM and AD.
    > - After some time, with a modify event from AD driver the user CN at
    > AD system gets renamed. The AD Logs snippet shows as below:
    >


    You need to provide an engine side trace of the entire transaction (at
    trace level 3)

    > Can someone help me to identify the cause for this and handle such
    > case?


    Are you using the standard AD packages/policies?

  • Hi Alex,

    As requested, sharing the trace level 3 logs for AD Driver for a
    Transaction of User Creation.

    Please let me know your views on same.

    Thanks!


    ----------------------------------------------------------------------
    |Filename: AD Driver Log_10052016.zip |
    |Download: https://forums.netiq.com/attachment.php?attachmentid=443 |
    ----------------------------------------------------------------------

    --
    neha_gupta
    ------------------------------------------------------------------------
    neha_gupta's Profile: https://forums.netiq.com/member.php?userid=1249
    View this thread: https://forums.netiq.com/showthread.php?t=55839

  • neha gupta wrote:

    >
    > Hi Alex,
    >
    > As requested, sharing the trace level 3 logs for AD Driver for a
    > Transaction of User Creation.
    >
    > Please let me know your views on same.



    That was a level 2 trace. Not level 3.
    I specifically requested a level 3 trace as it is only at this level
    where you see the required detail for debugging this type of problem.

    At a guess, your problem is that your driver filter is configured
    incorrectly and you have some attributes that should be subscriber
    notify but are instead incorrectly set to subscriber sync.

    1. Group Membership
    2. nrfMemberOf

    I suggest you look at those as a starting point.

    If you still have problems please post a level 3 trace of driver
    startup and of the problematic transaction.