Article Content
Article Number | 000033216 |
Applies To | RSA Product Set: RSA Identity Governance and Lifecycle RSA Product/Service Type: All |
Issue | The default Reset Account password looks for a distinguished name (DN) to search the account in Active Directory (AD). AFX fails with the error below if the account is collected as sAMAccountName rather than a DN, as displayed in the GUI's comments section:AFX reports this item failed with code [-1] and message: 'org.mule.api.transformer.TransformerMessagingException: The request completes without issue if the account is collected as a DN: |
Cause | For the reset password option, AFX is always looking for the full DN of the account. If the account is collected with the sAMAccountName, then during the reset password request, AFX fails with the error shown above. The DN for the test user John Doe is CN= John Doe ,OU=Test_User,DC=2k8r2-vcloud,DC=local. If the account is a sAMAccountName (e. g., jdoe) then AFX tries to search the DN as CN=jdoe,OU=Test_User,DC=2k8r2-vcloud,DC=local. Since it does not find this DN in Active directory, it displays the error. |
Resolution | You can map any of the AD attributes to the Account Name or ID. You would expect that AFX can search for an account based on any attributes from the AD. However, this is not the current product behavior. The connector will always try to look up an account or group using the DN. This doesn't mean that you need to collect accounts with Account ID set to DN. What it does mean is that you need to collect either the account CN or DN as an attribute and map that attribute to the account parameter on the Reset an Account's Password tab and for any other account-related command EXCEPT for Create Account. It is most likely that not all of your accounts are in the same OU, so you would want to collect and map the full DN to the account parameter. If, however, all the accounts are in the same OU structure and the CN is made up of attributes from associated user object(s), then the account parameter for the Reset Password command can be mapped to those user attributes. An example of this would be if your CN looks like CN = $User.First_Name $User.Last_Name. For the account parameter to Reset an Account's Password in the connector, the attribute mapping would look like $User.First_Name $User.Last_Name. |