Error creating equality indexes

This topic has 8 replies, 3 voices, and was last updated 2 years, 11 months ago by Rob Matthews.

  • Author
  • #23919

    I am following along in the OpenAM 13 install manual and trying to create the equality indexes to configure an external data store. However, I am getting the error message below. Any ideas why?

    ./dsconfig create-local-db-index –port 4444 –hostname –bindDN “cn=Directory Manager” –bindPassword password –backend-name userRoot –index-name iplanet-am-user-federation-info-key –set index-type:equality –no-prompt

    The Local DB Index could not be created because of the following reason:

    * [LDAP: error code 53 – The Directory Server is unwilling to add
    configuration entry
    kend-id=userRoot,cn=Backends,cn=config because one of the add listeners
    registered with the parent entry
    cn=Index,ds-cfg-backend-id=userRoot,cn=Backends,cn=config rejected this
    change with the message: The Local DB Index could not be decoded due to
    the following reason: The string value
    “iplanet-am-user-federation-info-key” is not a valid value for the
    “attribute” property, which must have the following syntax: OID]

     Rob Matthews

    Hi, did you follow step 11 to add the opendj_user_schema.ldif file?


    Not sure which step is step 11. I have run the openam-ds-admin-account.ldif:

    dn: ou=admins,dc=example,dc=com
    objectClass: top
    objectClass: organizationalunit
    ou: OpenAM Administrator

    dn: uid=openam,ou=admins,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: OpenAM Administrator
    sn: OpenAM
    ds-privilege-name: update-schema
    ds-privilege-name: subentry-write
    ds-privilege-name: password-reset

    and the add-acis-for-openam-admin-access.ldif:

    dn: dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetattr=”* || aci”)(version 3.0;acl “Allow identity modification”;
    allow (write)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)
    aci: (targetattr!=”userPassword||authPassword”)(version 3.0;
    acl “Allow identity search”; allow (search, read)(userdn = “ldap:///
    aci: (targetcontrol=”2.16.840.1.113730.3.4.3″)(version 3.0;acl “Allow
    persistent search”; allow (search, read)(userdn = “ldap:///
    aci: (version 3.0;acl “Add or delete identities”; allow (add, delete)
    (userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)


    Hmmm…I am configuring for dynamic schema updates and the manual says, “Continue by configuring your external identity repository as an OpenAM data store as described in Section 1.4.3, “Configuring OpenAM Data Stores That Access External Identity Repositories”.” That said, I foiund the step 11 that you’re referring to — it’s in section 1.5.


    The error happens because the attribute is unknown to the Directory Server.
    Either the AM specific schema was not added to the directory, or it’s been added by file and the server was not restarted.


    Restarting the directory server is not an option since its running in a Docker container; if stop-ds is run, then that causes the container to exit. That seems to have a permanent effect on the container so that it does not start up again afterwards.

     Rob Matthews

    If you have been running the setup to do dynamic schema updates then you could go in to the AM UI, go to datastores and configure the Directory Server as your user store, on this page there is a tickbox to load schema at the top of the page, make sure you tick this and then save the datastore.

    Alternatively you could simply follow the manual updates which involve loading the schema updates through ldapmodify which won’t require a restart, however note that depending on the version of DJ you are running you may need to take it offline to verify the indexes, you should probably look in to why your container is not operating as expected, perhaps look at persistent volumes?


    Thanks, Rob. Just to be clear in order to load the schema when the data store is saved, I have to use the cn=Directory Manager account and not the cn=OpenAM Administrator account. And even after I load the schema, I am not able to connect to the external data store with the cn=OpenAM Administrator account. For some weird reason, I keep getting an invalid credentials error message. Does that mean that the OpenAM Administrator user does not exist in OpenDJ?

    Also, what do you mean by this: “you should probably look in to why your container is not operating as expected”. Is it expected that you can shut down opendj and still have the container running?

    Thanks again.

     Rob Matthews

    You could do an ldapsearch on the DJ instance to try find the user, or use an ldap explorer such as ApacheDirectoryStudio, did you create it using the example ldif in the guide? If so and you want to use an ldapsearch then something like –

    ./ldapsearch –port 1389 –bindDN “cn=Directory Manager” –bindPassword password –baseDN dc=example,dc=com “(uid=openam)”

    If you look in the opendj access logs (path/to/dj/logs/access) it should tell you why it cannot connect. You will need the full dn of the account so if it by the installation guide it should be “uid=openam,ou=admins,dc=example,dc=com”

    Yes the docker image would go down however you should be able to configure it so you can restart the same instance again so no changes are lost, it’s not something I’ve played around with much but I believe you can configure persistent volumes to do this

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?