cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assign AD Group to users failing

Go to solution
ravi_paul
Participant

on ‎07-04-2019 4:41 PM

0 Kudos

While we are adding AD privilege thru UI to user which is already activated in AD, we are getting error in 'AssignUserToADSGroup'.

Here is the destination value of the pass:

dn --> $FUNCTION.sap_core_getGroupACCOUNTFromPrivilege(%MSKEY%)$$

changetype --> modify

+member --> $FUNCTION.sap_core_checkAccountAttributeValueExists(%ACCOUNT%$rep.$NAME%%)$$

attached is error screenshot

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Steffi_Warnecke
Active Contributor
‎07-10-2019 3:51 PM

Hello Ravi,

I'm a bit confused about the "value" for the member attribute:

$FUNCTION.sap_core_checkAccountAttributeValueExists(%ACCOUNT%$rep.$NAME%%)$$

The attribute "member" expects a distinguished name, not a username. The used function is not returning that for the account attribute, it's just checking, that the given attribute is not empty.

So you need another script, that returns the DN for the user you want to add to the group.

.

EDIT: Or do you use that attribute (ACCOUNT<ad_repo>) for the distinguished name of the ad-user and not the samaccountname?

.

Regards,

Steffi.

Show replies
Show replies
ravi_paul
Participant
‎07-17-2019 4:06 PM
0 Kudos

Hi Steffi, Many Many Many and more Many Thanks.

that solution worked out for me

$FUNCTION.sap_core_checkAccountAttributeValueExists(%ACCOUNT%$rep.$NAME%%)$

I was passing MSKEYVALUE at %ACCOUNT%$rep.$NAME%% , assuming that would work, once I passed DN to %ACCOUNT%$rep.$NAME%% it worked out.

Thanks Again!!!

Answers (2)

Answers (2)

alexanderbrietz
Active Contributor
‎07-08-2019 2:37 PM

Hi Ravi,

how many members do you have in the group at question? Are there more than 1500 members in it?

AD causes problems with membership within large groups because there is a special mechanism how this is handled in AD. The LDAP way would be to add a memberOf attribute for the person to the group in question instead of adding a member attribute to a person for the group. This would help for groups with more than 1500 members (1500 being the first threshold IIRC).

Additionally I would recommend the link Richard posted. WILL NOT PERFORM is the AD way of stating something went wrong. Could be password issue (which you already excluded), protocol issue, server issue, etc. My interpretation of the error codes means MS Error Code 0x54F equals ERROR_INTERNAL_ERROR meaning "An internal error occurred." which is not quite helpful... Please find https://docs.microsoft.com/de-de/windows/win32/debug/system-error-codes--1300-1699-.

Hope that helps.

Regards,

Alex

Show replies
Show replies
ravi_paul
Participant
‎07-09-2019 11:53 AM
0 Kudos

Not much, its a test group we have created. As of now only 2 members.

Also its not an issue with one group, any group I'm trying to add to user, I'm getting same error.

-RP

richard_pietsch
Active Contributor
‎07-05-2019 12:28 PM

Hi, LDAP code 53 with problem 5003 indicates a password issue.. see https://ldapwiki.com/wiki/WILL_NOT_PERFORM
Regards, Richard

Show replies
Show replies
ravi_paul
Participant
‎07-05-2019 5:21 PM
0 Kudos

It doesn't seem to be, as IDM Service account is able to create user in ADS from IDM, problem is only when assigning AD group from IDM.

I tried logging to AD mmc with IDM service account and was able to add users manually in mmc, which means IDM service account has access to add user account.

Ask a Question