Can See/Edit Users, but not Add to OpenDJ

This topic has 3 replies, 2 voices, and was last updated 3 years, 2 months ago by John.

  • Author
  • #25894

    I’ve been working on this one for days now but haven’t gotten anywhere. I have added an OpenDJ instance as an external datastore, configured it so that my users show up in the subjects, and can manage existing users. However, I get the following error when trying to create a new user:

    Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=65

    I’ve tried many things and have run out of ideas, any suggestions on where to look next? The log files do not seem to be too useful, but give these errors:


    "2019-05-29 08:55:35"   /root/openam/openam/log/        "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org"     "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org"  "Not Available" amPolicy.error  3468f03ce5edcc8f        dc=openam,dc=forgerock,dc=org   INFO    10.126.x.x   LOG-1
    "2019-05-29 10:31:57"   amPolicy.error  "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org"     "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org"     "Not Available"      amPolicy.error  52474a0db476281d01      dc=openam,dc=forgerock,dc=org   INFO    10.126.x.x    LOG-2

    "2019-05-30 10:46:48" "why|user|/|Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=65" "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" id=amAdmin,ou=user,dc=openam,dc=forgerock,dc=org "Not Available" amConsole.error a9598d259b5d5f4b01 dc=openam,dc=forgerock,dc=org SEVERE 10.126.x.x CONSOLE-4

    • This topic was modified 3 years, 2 months ago by John.
     Andy Cory

    Hi John

    What’s the base DN of your external user store? Did you set it to dc=openam,dc=forgerock,dc=org like the embedded one? The logs suggest that where AM is trying to put your users, at least. Given you had two datastores defined at one point I wonder if AM is muddled.

    How are you creating these new users? Using the AM console? If the base DN isn’t the problem my guess is that AM is trying to add an attribute that violates the schema. The datastore definition to your external DS is likely to be configured to add a bunch of attributes specific to AM use-cases. AM expects that the AM extensions to the default schema are in place. There’s a ‘create schema’ option in the datastore definition that would do this for you – if you’ve let it do its thing. If you’ve created the custom schema then it’s worth checking the DJ logs as well as the AM logs.


     Andy Cory

    Adding a random comment with the notification box checked this time…


    Wow… why didn’t I think of that, thanks! Found a conflicting objectclass in the OpenDJ logs:

    [30/May/2019:11:36:48 -0400] ADD RES conn=2 op=59 msgID=60 result=65 message="Entry uid=why,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes multiple conflicting structural objectclasses account and inetOrgPerson. Only a single structural objectclass is allowed in an entry" etime=2

    I’ve been working on some custom schemas and must have broke it, now onto bigger things!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?