Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

When provisioning to AD, IQService returns the error: Length cannot be less than zero

When provisioning to AD, IQService returns the error: Length cannot be less than zero

 

Symptoms

When provisioning to Active Directory, IQService returns the error "Errors returned from IQService. Length cannot be less than zero. Parameter name: length"

 

Diagnosis

This error typically occurs when provisioning to AD while the identity attribute is set to a non-standard attribute in the Account Schema.

 

Solution

When provisioning to an AD application, the Identity Attribute must be set to "distinguishedName" in the Account Schema. This should be the default when defining at AD application and should not be changed.

If the setting has changed, it can be restored by completing the following steps:

  1. From IdentityIQ, select Applications > Application Definitions.
  2. Select the correct application from the list.
  3. Swith to the Configuration tab.
  4. Open the Schema settings.
  5. Ensure the Identity Attribute is configured to be distinguishedName, as seen in the following image:
     

    adDN.png

  6. Save the changes.
  7. Repeat your provisioning attempt.
Labels (2)
Comments
amit_kumargupta
‎May 14, 2020 06:12 AM
‎May 14, 2020 06:12 AM

Hi Michael,

With this approach, I'm finding some difficulty in achieving the OU movement. 
My Use case is if a user gets disabled his/her account will be moved to Disabled OU. For that I configured the  AC_NewParent = Disabled OU and prepopulating this data in the provisioning policy form. I have attached a form against Disable User operation which is setting this.
Everything works well i.e. the account is getting moved to Disable OU and the user is also getting deleted in AD. But the Link is getting deleted in the Sailpoint side. I don't want the link to be deleted for that I must have to set Identity attribute as some other standard attribute.

Which Attribute should I set apart from DN?

katrina_harris
‎Oct 30, 2020 10:52 AM
‎Oct 30, 2020 10:52 AM

@michael_slavin  Is there an update on this issue? We are having the same issues using batch requests and we already have our setting setup as described above for the distinguishedName on the Identity Attribute

kenney_s
‎Jan 22, 2021 10:38 AM
‎Jan 22, 2021 10:38 AM

Is there an update to this issue?  We are also seeing this error and distinguishedname is already set up as discribed.

Version history
Revision #:
4 of 4
Last update:
‎May 23, 2023 10:52 PM
Updated by:
Community Administrator
 
View Article History