1 Reply Latest reply on Sep 5, 2008 9:18 AM by 804993

    Active Directory datastore LDAP Error 34: (DN) uses invalid syntax.

    800645
      Hi,

      I configured active directory as the datastore of one of the access manager organizations and I'm getting some ldap errors.

      First, I patched AM 7.1 realm mode with patch 1 as suggested in the documentation, then I added the AM schema to active directory successfully, and finally, I want to see my users in the AM web console (amserver).

      my first attemp to getting running this datastore was to keep default datastore configuration, that means keeping LDAP User Search Attribute=sAMAccountName. When I try to go the Subjects tab, I can see the users list correctly, but when I click a user, i get an error:
      Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo: Unable to find entry: sAMAccountName=hjuarez,cn=users,DC=sunintel,DC=sun,DC=com
      and when I try to add an user the log says:
      LDAPv3Repo.create failed
      netscape.ldap.LDAPException: error result (64); 00002073: NameErr: DSID-03050AAB, problem 2005 (NAMING_VIOLATION), data 0, best match of:
              'sAMAccountName=hjuarez,cn=users,DC=sunintel,DC=sun,DC=com'
      ; Naming violation
              at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4857)
      it seems there are a direct and nasty hard-coded relationship between the LDAPSearch Attribute and the creation of the distinguished name. It's not configurable so I tried to find another solution.

      the second attemp I made was to configure "cn" attribute as the LDAP User Search Attribute. With this configuration I'm able to see properly the Subjects tabs. It retrieves the already stored active directory user's CN and when I clik them I can see their attributes. But when I try to add a new user or modify the existing ones, I'm getting this error message:
      Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered a ldap exception. LDAP Error 34: The specified distinguished name (DN) uses invalid syntax.
      the log says:
          attrs: {sAMAccountName=[hjuarez], uid=[hjuarez], cn=[hjuarez], sn=[hjuarez], inetuserstatus=[Active], givenname=[hjuarez], userpassword=xxx...}
      05/30/2008 07:40:43:515 AM CDT: Thread[service-j2ee-4,5,main]
          : attrName= sn set:[hjuarez]
      05/30/2008 07:40:43:516 AM CDT: Thread[service-j2ee-4,5,main]
          : attrName= objectclass set:[user, top, person, organizationalPerson]
      05/30/2008 07:40:43:516 AM CDT: Thread[service-j2ee-4,5,main]
          : attrName= cn set:[hjuarez]
      05/30/2008 07:40:43:516 AM CDT: Thread[service-j2ee-4,5,main]
          : attrName= sAMAccountName set:[hjuarez]
      05/30/2008 07:40:43:516 AM CDT: Thread[service-j2ee-4,5,main]
          : attrName= userpassword
      05/30/2008 07:40:43:516 AM CDT: Thread[service-j2ee-4,5,main]
          : before ld.add: eDN=cn=hjuarez,cn=users,dc=sunintel,dc=sun,dc=com
      05/30/2008 07:40:43:551 AM CDT: Thread[LDAPv3EventService,5,main]
      objectChanged:  dn=CN=RID Set,CN=SUNINTEL,OU=Domain Controllers,DC=sunintel,DC=sun,DC=com
      05/30/2008 07:40:43:555 AM CDT: Thread[service-j2ee-4,5,main]
      ERROR: LDAPv3Repo.create failed. errorCode=34  00002081: NameErr: DSID-03050AE0, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
              'cn=hjuarez,cn=users,dc=sunintel,dc=sun,dc=com'
      05/30/2008 07:40:43:555 AM CDT: Thread[service-j2ee-4,5,main]
      LDAPv3Repo.create failed
      netscape.ldap.LDAPException: error result (34); 00002081: NameErr: DSID-03050AE0, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
              'cn=hjuarez,cn=users,dc=sunintel,dc=sun,dc=com'
      I felt frustrated because there are just a few configurable parameters and nothing seems to work. I want to know if someone has already configured successfully the active directory datastore and if they would post how to do it properly.

      If I'm wrong, please point me out the right direction.

      Thanks in advance, any help would be appreciated.
        • 1. Re: Active Directory datastore LDAP Error 34: (DN) uses invalid syntax.
          804993
          I have similar problem. I had to try configure SPE User directory. Test of connection succeded. But when I tried to Create User (via "Account -> Manage Service Provider User") following error appeared:
           com.waveset.util.IOException: Could not create 'uid=testuser01'. Cause uid=testuser01: [LDAP: error code 64 - 00002073: NameErr: DSID-03050AAB, problem 2005 (NAMING_VIOLATION), data 0, best match of:
	'uid=testuser01,dc=studny,dc=local'
]. 
          Service Provider End-User Directory resource:
          Resource parametr:
          Host: localhost
          TCP Port: 389
          User DN: cn=admin,ou=IT,dc=studny,dc=local
          Base Contexts: dc=studny,dc=local

          Identity Template:
          uid=$accountId$,dc=studny,dc=local

          I have installed IDM 8.0.

          Have anybody idea what is wrong? Is necessary to set up DSEE?

          Thanks in advance