Errors on LDAP

[Dan Munns]

Hi, 

I have a few LDAP import tasks to simply update user fields (disabled users and two add users to groups) but when i run them I get a number of errors stating the following: 

'Unable to create user: <USERNAME> Error: The specified handle <HANDLE> already exists' 

'Unable to Create User: <USERNAME> Error: The minimum length of the value in element <name> was expected to be 2 but was actually 0 at location '/methodCall/params/name'

Now, I understand the error if I am trying to create a new user, however the LDAP import is set to 'No action' for all steps apart from groups which is set to 'Update Only'. It seems to have worked, but the errors make finding actual issues a nightmare. 

Using LDAP tool 3.2.0

Any ideas?

[James Ainsworth]

Hi Dan,

There is a system setting that can be changed to allow for duplicate handles

api.xmlmc.uniqueUserHandle.enable

 

[Dan Munns]

@James Ainsworth I dont want to allow for duplicates, I was more concerned that it reports an error when trying to create accounts when the json is set to update only.

And also trying to find out what this error is: 

'Unable to Create User: <USERNAME> Error: The minimum length of the value in element <name> was expected to be 2 but was actually 0 at location '/methodCall/params/name'

 

[Lyonel]

@Dan Munns from my experience, this error message comes from a missing value for the attribute <name> against the account <USERNAME> in your AD. Double check the profile on the active directory or run the LDAP query of the import setup to make sure some value is returned for the field you mapped to the attribute <name> (which is very likely Distinguished name).

Last time I had this error message, it was because the AD Account was setup with a distinguished name of "BA"... So Hornbill would not allow that.

[Victor]

@Dan Munns @Lyonel

To clarify this, the <name> element mentioned in the error is actually referring to the user handle. So, check the LDAP configuration for the"Handle" and see if by any chance, as Lyonel said, for some user the LDAP attribute configured there is empty...

[Dan Munns]

@Victor @Lyonel I will check the AD objects and see if they are missing givenname and sn. If they are they are likely service accounts in an OU they shouldnt be or I need to add an exclusion to a sub OU (if that possible) 

Any idea why the LDAP is trying to create accounts in Hornbill when the json file is set to update only though? 

[Victor]

@Dan Munns depends... I would need to see the config file...

[Dan Munns]

@Victor

{
  "User": {
    "AccountMapping": {
      "UserId": "[sAMAccountName]",
      "UserType": "basic",
      "Name": "[givenName] [sn]",
      "Password": "",
      "FirstName": "[givenName]",
      "LastName": "[sn]",
      "JobTitle": "[title]",
      "Site": "",
      "Phone": "[telephoneNumber]",
      "Email": "[mail]",
      "Mobile": "[mobile]",
      "AbsenceMessage": "",
      "TimeZone": "",
      "Language": "",
      "DateTimeFormat": "",
      "DateFormat": "",
      "TimeFormat": "",
      "CurrencySymbol": "",
      "CountryCode": ""
    },
    "UserDN": "[distinguishedName]",
    "Type": {
      "Action": "None",
      "Value": "user"
    },
    "Status": {
      "Action": "None",
      "Value": "active"
    },
    "Role": {
      "Action": "None",
      "Roles": [
        "Basic User Role",
        "Self Service User",
        "MyLibrary Portal",
        "Self Service Request Cancel User"
      ]
    },
    "ProfileMapping": {
      "MiddleName": "",
      "JobDescription": "",
      "Manager": "",
      "WorkPhone": "",
      "Qualifications": "",
      "Interests": "",
      "Expertise": "",
      "Gender": "",
      "Dob": "",
      "Nationality": "",
      "Religion": "",
      "HomeTelephone": "",
      "SocialNetworkA": "",
      "SocialNetworkB": "",
      "SocialNetworkC": "",
      "SocialNetworkD": "",
      "SocialNetworkE": "",
      "SocialNetworkF": "",
      "SocialNetworkG": "",
      "SocialNetworkH": "",
      "PersonalInterests": "",
      "homeAddress": "",
      "PersonalBlog": "",
      "Attrib1": "",
      "Attrib2": "",
      "Attrib3": "",
      "Attrib4": "",
      "Attrib5": "",
      "Attrib6": "",
      "Attrib7": "",
      "Attrib8": ""
    },
    "Manager": {
      "Action": "None",
      "Value": "[manager]",
      "Options": {
        "GetStringFromValue": {
          "Reverse": true,
          "Regex": ""
        },
        "MatchAgainstDistinguishedName": false,
        "Search": {
          "Enable": false
        }
      }
    },
    "Image": {
      "Action": "None",
      "UploadType": "URI",
      "InsecureSkipVerify": false,
      "ImageType": "png",
      "Value": "[thumbnailPhoto]"
    },
    "Site": {
      "Action": "None",
      "Value": "[physicalDeliveryOfficeName]"
    },
    "Org": [
      {
        "Options": {
          "OnlyOneGroupAssignment": false,
          "Type": 1,
          "Membership": "member",
          "TasksView": false,
          "TasksAction": false
        },
        "Action": "Update",
        "Value": "[All Staff]"
      }
    ]
  },
  "LDAP": {
    "Server": {
      "keySafeID": 5,
      "InsecureSkipVerify": false,
      "Debug": false,
      "ConnectionType": "SSL"
    },
    "Query": {
      "Attributes": [
        "cn",
        "distinguishedName",
        "sn",
        "telephoneNumber",
        "mobile",
        "sAMAccountName",
        "userPrincipalName",
        "givenName",
        "description",
        "department",
        "manager",
        "thumbnailPhoto",
        "cn",
        "sn",
        "telephoneNumber",
        "mobile",
        "sAMAccountName",
        "userPrincipalName",
        "givenName",
        "description",
        "department",
        "manager",
        "mail",
        "title",
        "givenName",
        "physicalDeliveryOfficeName",
        "department",
        "extensionAttribute1"
      ],
      "Scope": 2,
      "DerefAliases": 1,
      "TypesOnly": false,
      "SizeLimit": 0,
      "TimeLimit": 0,
      "Filter": "(objectCategory=person)",
      "DSN": "<REDACTED>"
    }
  },
  "Advanced": {
    "LogLevel": 3,
    "LogRetention": 0,
    "PageSize": 100
  },
  "version": 4
}

 

[Victor]

Right, so:

2 hours ago, Dan Munns said:

Any idea why the LDAP is trying to create accounts in Hornbill when the json file is set to update only though?

After seeing the config file I assume now that you mean "why LDAP is creating new accounts, which don't exist in Hornbill, when the config is set to update only". Detailing this is important because, I have seen this in the past and, seems to be a rather common misunderstanding. The LDAP import tool will always create an user account in Hornbill if the user account does not exist in Hornbill. The "update only configuration" or "no action configuration" you mentioned actually refers to how user characteristics are handled for each user. I'll try and explain using the "Status" as an example:

The possible actions are:

• Only Create - it means that the user status will be set only if the user is being created in Hornbill. In other words this is only set when the user is created and once it exists in Hornbill the import tool will not amend the user status again;
• Only Update - it means that the user status will be set every time the import tool runs and if the user already exists in Hornbill;
• Create & Update - it means a combination of the above: the user status will be set when the user is being created in Hornbill and every subsequent time the import tool runs;
• No Action - it means the import tool completely bypasses setting the user status when the import tool runs.

So, having a user option/attribute set as "Only Update" or "No Action" does not mean the user is only updated or user is skipped, it means that particular attribute is amended only when the user is updated and not when the user is created initially or that particular attribute is bypassed. It does not mean the user being created or not. The dissemination of "create" and "update" allows having separate behaviors (configurations) of the import tool for setting user attributes/profile when the user is initially created and for when the user is subsequently updated. Hope this makes sense...

[Lyonel]

@Dan Munns what @Victor described above is exactly what I experienced last time I had that error message in the past.

 

[Dan Munns]

@Victor that makes sense, and to be fair is the same across all our LDAP applications when I think about it so I don't know why my brain took the day off. 

I suppose it is just the wording if slightly different if I wanted to defend myself.  

Thanks @Lyonel also for your input. And it makes me feel better that its not just me chasing non-issue errors all over the place  

See you both next week at Insights! (I am assuming you will both be there)

[Lyonel]

@Dan Munns Happy I could help one last time. Unfortunately Friday is my last day at my current company, which means I will no longer be working with Hornbill (at least for now). I wish you all the best going forward. I am sure that with @Victor here to help, you will be just fine 

 

[Victor]

@Lyonel - so... still don't see any valid reason why you can't be at Insights...  

[Dan Munns]

@Lyonel sad to hear that we wont meet again this year. Still, who knows what the future holds. 

Wish you all the best at your new place.

Just get them to take up Hornbill and you will be back here in no time  

[Lyonel]

@Victor I'll be selling Hornbill to my new company by then 

Thanks @Dan Munns!