This topic has 3 replies, 2 voices, and was last updated 1 year, 4 months ago by 
.
-
Posts
-
I’ve been working on this one for days now but haven’t gotten anywhere. I have added an OpenDJ instance as an external datastore, configured it so that my users show up in the subjects, and can manage existing users. However, I get the following error when trying to create a new user:
Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=65I’ve tried many things and have run out of ideas, any suggestions on where to look next? The log files do not seem to be too useful, but give these errors:
amPolicy.error
"2019-05-29 08:55:35" /root/openam/openam/log/ "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" "Not Available" amPolicy.error 3468f03ce5edcc8f dc=openam,dc=forgerock,dc=org INFO 10.126.x.x LOG-1 "2019-05-29 10:31:57" amPolicy.error "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" "Not Available" amPolicy.error 52474a0db476281d01 dc=openam,dc=forgerock,dc=org INFO 10.126.x.x LOG-2amConsole.error
"2019-05-30 10:46:48" "why|user|/|Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=65" "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" id=amAdmin,ou=user,dc=openam,dc=forgerock,dc=org "Not Available" amConsole.error a9598d259b5d5f4b01 dc=openam,dc=forgerock,dc=org SEVERE 10.126.x.x CONSOLE-4Hi John
What’s the base DN of your external user store? Did you set it to
dc=openam,dc=forgerock,dc=orglike the embedded one? The logs suggest that where AM is trying to put your users, at least. Given you had two datastores defined at one point I wonder if AM is muddled.How are you creating these new users? Using the AM console? If the base DN isn’t the problem my guess is that AM is trying to add an attribute that violates the schema. The datastore definition to your external DS is likely to be configured to add a bunch of attributes specific to AM use-cases. AM expects that the AM extensions to the default schema are in place. There’s a ‘create schema’ option in the datastore definition that would do this for you – if you’ve let it do its thing. If you’ve created the custom schema then it’s worth checking the DJ logs as well as the AM logs.
-Andy
Wow… why didn’t I think of that, thanks! Found a conflicting objectclass in the OpenDJ logs:
[30/May/2019:11:36:48 -0400] ADD RES conn=2 op=59 msgID=60 result=65 message="Entry uid=why,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes multiple conflicting structural objectclasses account and inetOrgPerson. Only a single structural objectclass is allowed in an entry" etime=2I’ve been working on some custom schemas and must have broke it, now onto bigger things!
You must be logged in to reply to this topic.
