[LDAP: error code 65 - attribute not allowed]

    Identity Manager 5.5(2005Q3M1) on Windows 2000
    OpenLDAP2.0.4 on the same Windows 2000 box

    The result of execute "Test Configuration" of the LDAP resource is correct. To simplify, in my configuration,I remain objectclass "top" and "person" ,delete other objectclasses. All attributes I need are "cn" and "sn".

    But ,
    Attribute---------Value------------------ Status
    cn=ttttt,c=cn on LDAP56
    password ------********

    com.waveset.util.WavesetException: An error occurred adding user 'cn=ttttt,c=cn' to resource 'LDAP56'. javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute not allowed]

    I used "ldapmodify" command to add an entry to my OpenLDAP server,it succeeded. Here is my ldif:

    I can't figure out why IDM can't create this entry. It seems that everything is compliance with the schema.

    If you have any ideas,please reply the post. Thanks a lot.
      • 1. Re: [LDAP: error code 65 - attribute not allowed]
        You should check the resource schema for that resource and see if it contains attributes, which are NOT contained in the object classed you've specified.
        • 2. Re: [LDAP: error code 65 - attribute not allowed]
          I think your suggestion is the point to solve the problem.

          I review the schema file of OpenLDAP--core.schema.
          It seems that only "cn" and "sn" are the attributes that objectclass "person" MUST has. Objectclass "person" MAY has attribute "userPassword".
          So I modify IDM Resource Parameter,
          add attribute "userPassword". But it doesn't work:(

          I try to find more detailed information in tracelog (trace level is 4),but nothing valuable found.
          • 3. Re: [LDAP: error code 65 - attribute not allowed]
            What attributes are currently in your resource schema?
            There is at least one that is not contained in your object classes...
            • 4. Re: [LDAP: error code 65 - attribute not allowed]
              I installed IDM6.0 in a new WINXP box, but still encounted this problem.
              If the Resource is SUN Directory Server, the account can be created successfully.
              If the Resource is OpenLDAP,then error "attribute not allowed" appears again.

              I copied related paragraph from OpenLDAP's schema and Sun Directory Server's schema.

              /********* core.schema (OpenLDAP) *********/

              objectclass ( NAME 'top' ABSTRACT
                   MUST objectClass )

              objectclass ( NAME 'person' SUP top STRUCTURAL
                   MUST ( sn $ cn )
                   MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

              objectclass ( NAME 'organizationalPerson' SUP person STRUCTURAL
                   MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
                        preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
                        telephoneNumber $ internationaliSDNNumber $
                        facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
                        postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
              /********* 00core.ldif (Sun Directory Server) *********/

              objectClasses: ( NAME 'top' DESC 'Standard LDAP objectclass' ABSTRACT MU
              ST objectClass X-ORIGIN 'RFC 2256' )

              objectClasses: ( NAME 'person' DESC 'Standard LDAP objectclass' SUP top
              MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword )
              X-ORIGIN 'RFC 2256' )

              objectClasses: ( NAME 'organizationalPerson' DESC 'Standard LDAP objectclass' SUP person MAY ( destinationIndicator $ facsimileTelephoneNumber
              $ internationaliSDNNumber $ l $ ou $ physicalDeliveryOfficeName $ postOfficeBox
              $ postalAddress $ postalCode $ preferredDeliveryMethod $ registeredAddress
              $ st $ street $ teletexTerminalIdentifier $ telexNumber $ title $ x121Address )
              X-ORIGIN 'RFC2256' )

              objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'Internet
              extended organizational person objectclass' SUP organizationalPerson MAY (
              audio $businessCategory $ carLicense $ departmentNumber $ displayName
              $ employeeType $employeeNumber $ givenName $ homePhone
              $homePostalAddress $ initials $ jpegPhoto $ labeledURI $ manager $ mobile
              $ pager $ photo $ preferredLanguage $ mail $ o $ roomNumber $ secretary
              $ uid $ x500uniqueIdentifier $ userCertificate $ userSMimeCertificate
              $userPKCS12 ) X-ORIGIN 'inetOrgPerson Internet Draft' )

              From the schemas,we can know that there is no objectclass "inetOrgPerson" in OpenLDAP.
              But other objectclasses and MUST attributes definition is same.

              Here is my resource configuration:

              In "Resource Wizard"--"Resource Parameters"--"objectclass" edit box, I only remain "top" and "person",delete "organizationalPerson" and "inetOrgPerson". Can I do such simplification? Then the MUST attributes that "person" need are "cn" and "sn".

              In "Resource Wizard"--"Account Attributes" page, I do mappings as below:
              Identity system User Attribute <--> Resouce User Attribute
              password <--> userPassword
              lastname <--> sn
              firstname <--> cn

              In "Resource Wizard"--"Identity Template" page, "Identity Template" is configured as "cn=$firstname$,c=cn".

              Is the configuration correct? What configuration I omitted that cause "attribute not allowed"?

              Thank you.
              • 5. Re: [LDAP: error code 65 - attribute not allowed]
                whau, It seems you are running openLDAP on windows.

                I am interested in how you built/ported the openLDAP server... anyway I think you (or whoever) forgot to include the inetOrgPerson schema when it was built.

                inetorgperson schema isnt included automatically - its a "useful" schema to have but not essential in openLDAP (or iPlanet come to that)

                However, the mail attribute is so pervasive that 99.99% of LDAP clients (including IdM) expect it and other inetorgperson attributes such as usercertificate to be there in a class named inetorgperson. Did you not notice inetorgperson in the list of objectclasses when you defined the resource with the Idm wizard?

                My suggestion is to shutdown openLDAP server, backup and then edit the openLDAP schema config file adding the inetorgperson schema definitions and restart the openLDAP server.

                I should point out that iPlanet aint perfect, its a pain in the butt as well when you are forced to use iPlanet for PKI applications. So far EVERY iPlanet install has required me to add the standard pkiuser class.
                • 6. Re: [LDAP: error code 65 - attribute not allowed]
                  I am interested in how you built/ported the openLDAP server.
                  OpenLDAP provides method of win32 porting.
                  Download and install sleepycat and hs_regex.
                  After unzip OpenLDAP src tar ball, you can find main.dsw under dir "build".
                  But you should use unix2dos tool to convert all .dsp and .dsw files at first.
                  Then you can use VC6 to open main.dsw.
                  Modify portable.h to meet your demands.
                  Build all projects.
                  I think you (or whoever) forgot to include the inetOrgPerson schema when it was built.
                  Actually, I omitted that "inetOrgPerson" has attribute "mail". Thanks for your suggestion.
                  I add the definition of inetOrgPerson to core.schema, and add objectclasses "organizationalPerson" and "inetOrgPerson" back to Resource Parameter.
                  But the result is unchanged:[LDAP: error code 65 - attribute not allowed].

                  The problem is driving me crazy.
                  Where can I get more detailed error information?
                  I set debug level to 4, but found nothing useful in WSTraceX.log.
                  If I know which attributes are submitted to OpenLDAP, I can know what attribute is not allowed.

                  Any hints and suggestion will be appreciated. Thanks.
                  • 7. Re: [LDAP: error code 65 - attribute not allowed]
                    you know which attributes are needed because you have the entry in the SUN Java Systems LDAP server. Get the whole entry and check in which objectclass they are defined on the SUN server and then check if you have the same on the OpenLDAP side.

                    Tracing the IDM server will not help because it only gets the error 65 back. You need to trace the OpenLDAP side. It should be in the error or access log when you turn up the log level.

                    • 8. Re: [LDAP: error code 65 - attribute not allowed]
                      I have solved the problem. Thanks for your suggestions.

                      In slapd.conf of OpenLDAP, one should include core.schema,cosine.schema and inetOrgPerson.schema to use objectclass "inetOrgPerson" and related attributes-- "mail" and "uid".

                      I am thankful to people who reply or read my post.
                      • 9. Re: [LDAP: error code 65 - attribute not allowed]
                        It looks like you have some experience using OpenLDAP with Sun Identity Manager. I just wanted to find out if that worked out or if you ran into other issues. Also, I am curious as to how OpenLDAP was used -i.e. was it an authoritative source? Did you use the LDAP ActiveSync adapter?