000033216 - When resetting an out of band (OOB) account password, Access Fulfillment Express (AFX) will always look for full DN to search accounts in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 10Show Document
  • View in full screen mode

Article Content

Article Number000033216
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Product/Service Type: All
IssueThe default Reset Account password looks for a distinguished name (DN) to search the account in Active Directory (AD). AFX fails with the error below if the account is collected as sAMAccountName rather than a DN, as displayed in the GUI's comments section:
AFX reports this item failed with code [-1] and message: 'org.mule.api.transformer.TransformerMessagingException: 
Search for attributes for CN=jdoe,OU=Test_User,DC=2k8r2-vcloud,DC=local returned empty. The entry may not exist.
Aborting request! (java.lang.IllegalArgumentException) (org.mule.api.transformer.TransformerException).
Message payload is of type: String'. If available, another handler will be used to fulfill this item.

Below error seen in comment box :
User-added image

The request completes without issue if the account is collected as a DN:
User-added image
CauseFor the reset password option, AFX is always looking for the full DN of the account. If the account is collected with the sAMAccountName, then during the reset password request, AFX fails with the error shown above.

The DN for the test user John Doe is CN= John Doe ,OU=Test_User,DC=2k8r2-vcloud,DC=local.  If the account is a sAMAccountName (e. g., jdoe) then AFX tries to search the DN as CN=jdoe,OU=Test_User,DC=2k8r2-vcloud,DC=local.  Since it does not find this DN in Active directory, it displays the error.

ResolutionYou can map any of the AD attributes to the Account Name or ID. You would expect that AFX can search for an account based on any attributes from the AD. However, this is not the current product behavior.
The connector will always try to look up an account or group using the DN.
This doesn't mean that you need to collect accounts with Account ID set to DN. What it does mean is that you need to collect either the account CN or DN as an attribute and map that attribute to the account parameter on the Reset an Account's Password tab and for any other account-related command EXCEPT for Create Account. It is most likely that not all of your accounts are in the same OU, so you would want to collect and map the full DN to the account parameter.
If, however, all the accounts are in the same OU structure and the CN is made up of attributes from associated user object(s), then the account parameter for the Reset Password command can be mapped to those user attributes. An example of this would be if your CN looks like CN = $User.First_Name $User.Last_Name. For the account parameter to Reset an Account's Password in the connector, the attribute mapping would look like $User.First_Name $User.Last_Name.

User-added image