Highlighted
Absent Member.
Absent Member.
236 views

User Account Creation Issue in AD


Hi,


Issue Summary : The CN of a User account created in AD from IDM side is
getting renamed while SamAccountName remains unchanged.

For eg : User CN in IDM -> admFirstName.LastName
User CN in AD -> FirstName LastName
SamAccountName in AD -> admFirstName.LastName

Key points
- The user is created by using workflow and some default roles assigned
at the time of creation
- The user is created with correct naming convention initially both in
IDM and AD.
- After some time, with a modify event from AD driver the user CN at AD
system gets renamed. The AD Logs snippet shows as below:

[05/10/16 02:55:43.172]:AD ST:Submitting document to subscriber shim:
[05/10/16 02:55:43.173]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.5">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user" event-id="Active Directory
Driver##15499732cd1##0" from-merge="true"
qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<modify-attr attr-name="dirxml-uACAccountDisable">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="memberOf">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="nrfMemberOf">
<remove-all-values/>
<add-value>
<value timestamp="1462863213#67"
type="dn">\yyy\1022-ROL-PPRVACT-PRD</value>
<value timestamp="1462863214#3"
type="dn">\yyy\1012_ROL_GlobApp_PRD</value>
</add-value>
</modify-attr>
<modify-attr attr-name="displayName">
<remove-all-values/>
<add-value>
<value timestamp="1462863213#42" type="string">Snow01
White01</value>
</add-value>
</modify-attr>
</modify>
<modify-password class-name="user" event-id="pwd-subscribe"
qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<password><!-- content suppressed --></password>
<operation-data>
<password-subscribe-status>
<association>e1d77789b87b794ca4274327d57a3cbc</association>
</password-subscribe-status>
</operation-data>
</modify-password>
<rename class-name="user" event-id="Active Directory
Driver##15499732cd1##0" qualified-src-dn="O=xxx\CN=admSnow01.White01"
src-dn="xxx\admSnow01.White01" src-entry-id="116527">
<association>e1d77789b87b794ca4274327d57a3cbc</association>
<new-name>Snow01 White01</new-name>
</rename>
</input>
</nds>



Can someone help me to identify the cause for this and handle such case?


Thanks in advance!


--
neha_gupta
------------------------------------------------------------------------
neha_gupta's Profile: https://forums.netiq.com/member.php?userid=1249
View this thread: https://forums.netiq.com/showthread.php?t=55839

Labels (1)
0 Likes
3 Replies
Highlighted
Absent Member.
Absent Member.

Re: User Account Creation Issue in AD

neha gupta wrote:

>
>
> Issue Summary : The CN of a User account created in AD from IDM side
> is getting renamed while SamAccountName remains unchanged.
>
> For eg : User CN in IDM -> admFirstName.LastName
> User CN in AD -> FirstName LastName
> SamAccountName in AD -> admFirstName.LastName
>


I would strongly suggest that you don't allow dynamic change of the
SamAccountName after creation. It can be done, but it is unfortunatley
relatively common that badly written applications cache SamAccountName
(rather than objectSID or objectGUID) and break when the SamAccountName
is changed on a user.

> Key points
> - The user is created by using workflow and some default roles
> assigned at the time of creation
> - The user is created with correct naming convention initially both in
> IDM and AD.
> - After some time, with a modify event from AD driver the user CN at
> AD system gets renamed. The AD Logs snippet shows as below:
>


You need to provide an engine side trace of the entire transaction (at
trace level 3)

> Can someone help me to identify the cause for this and handle such
> case?


Are you using the standard AD packages/policies?
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: User Account Creation Issue in AD


Hi Alex,

As requested, sharing the trace level 3 logs for AD Driver for a
Transaction of User Creation.

Please let me know your views on same.

Thanks!


+----------------------------------------------------------------------+
|Filename: AD Driver Log_10052016.zip |
|Download: https://forums.netiq.com/attachment.php?attachmentid=443 |
+----------------------------------------------------------------------+

--
neha_gupta
------------------------------------------------------------------------
neha_gupta's Profile: https://forums.netiq.com/member.php?userid=1249
View this thread: https://forums.netiq.com/showthread.php?t=55839

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: User Account Creation Issue in AD

neha gupta wrote:

>
> Hi Alex,
>
> As requested, sharing the trace level 3 logs for AD Driver for a
> Transaction of User Creation.
>
> Please let me know your views on same.



That was a level 2 trace. Not level 3.
I specifically requested a level 3 trace as it is only at this level
where you see the required detail for debugging this type of problem.

At a guess, your problem is that your driver filter is configured
incorrectly and you have some attributes that should be subscriber
notify but are instead incorrectly set to subscriber sync.

1. Group Membership
2. nrfMemberOf

I suggest you look at those as a starting point.

If you still have problems please post a level 3 trace of driver
startup and of the problematic transaction.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.