Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033216 - When resetting an out of band (OOB) account password, Access Fulfillment Express (AFX) will always look for full DN to search accounts in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 22, 2017

Version 10Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033216
Applies To	RSA Product Set: RSA Identity Governance and Lifecycle RSA Product/Service Type: All
Issue	The default Reset Account password looks for a distinguished name (DN) to search the account in Active Directory (AD). AFX fails with the error below if the account is collected as sAMAccountName rather than a DN, as displayed in the GUI's comments section: AFX reports this item failed with code [-1] and message: 'org.mule.api.transformer.TransformerMessagingException: Search for attributes for CN=jdoe,OU=Test_User,DC=2k8r2-vcloud,DC=local returned empty. The entry may not exist. Aborting request! (java.lang.IllegalArgumentException) (org.mule.api.transformer.TransformerException). Message payload is of type: String'. If available, another handler will be used to fulfill this item. Below error seen in comment box : The request completes without issue if the account is collected as a DN:
Cause	For the reset password option, AFX is always looking for the full DN of the account. If the account is collected with the sAMAccountName, then during the reset password request, AFX fails with the error shown above. The DN for the test user John Doe is CN= John Doe ,OU=Test_User,DC=2k8r2-vcloud,DC=local. If the account is a sAMAccountName (e. g., jdoe) then AFX tries to search the DN as CN=jdoe,OU=Test_User,DC=2k8r2-vcloud,DC=local. Since it does not find this DN in Active directory, it displays the error.
Resolution	You can map any of the AD attributes to the Account Name or ID. You would expect that AFX can search for an account based on any attributes from the AD. However, this is not the current product behavior. The connector will always try to look up an account or group using the DN. This doesn't mean that you need to collect accounts with Account ID set to DN. What it does mean is that you need to collect either the account CN or DN as an attribute and map that attribute to the account parameter on the Reset an Account's Password tab and for any other account-related command EXCEPT for Create Account. It is most likely that not all of your accounts are in the same OU, so you would want to collect and map the full DN to the account parameter. If, however, all the accounts are in the same OU structure and the CN is made up of attributes from associated user object(s), then the account parameter for the Reset Password command can be mapped to those user attributes. An example of this would be if your CN looks like CN = $User.First_Name $User.Last_Name. For the account parameter to Reset an Account's Password in the connector, the attribute mapping would look like $User.First_Name $User.Last_Name.

Attachments

Outcomes

0 Comments

Recommended Content