This topic has 2 replies, 3 voices, and was last updated 3 years, 8 months ago by Bill Nelson.

  • Author
  • #24568

    I have OpenIDM connected with AD with LDAP Connector, but I have some OU and if I change de DN of the user to move from another OU OpenIDM show this error:
    [LDAP: error code 21 – 00000057: LdapErr: DSID-0C090EBF, comment: Error in attribute conversion operation, data 0, v3839]
    Is there a way to move users from OpenIDM to Active Directory to a diferent OU?


    It happens whenever you change any of the attributes (first name, last name, etc.) of the user once created. For example, I create the user Jhon and I change the name to JhonP and it jumps the same fault, I change it back to Jhon and the error does not jump … Any idea what can it be?

     Bill Nelson

    In general, a move operation (as you refer to it) is a MODRDN operation in LDAP. If the user’s original distinguished name (DN) is cn=John Doe, ou=Users, dc=example,dc=com and you change his full name (i.e. “cn”) from John to Jonathan, then that will typically change the DN to cn=Jonathan Doe, ou=Users, dc=example,dc=com (the exception, of course is if you have a multi-valued cn with both names, but hopefully you get my point). This operation changes the leftmost portion of the DN, which is referred to as the RDN (or the relative distinguished name), so if you change any attribute that makes up the user’s DN, then it is a MODRDN operation – or as you refer to it, a move.

    I am not an AD guy, but I do know LDAP pretty well. AD is throwing an error because something that you are sending doesn’t jive with what it is expecting for a MODRDN operation. I did a quick Google search to see if I could glean anything from the error you posted. The “Error in attribute conversion operation” points to an error in the data contained in one (or more) of the attributes you are passing. Here are a couple of examples:

    Attribute has a null value (see

    Attribute contains a value that needs to be escaped (see

    [There are more, but using the Google Debugger is just one of those crazy little fun things we get to face when working in technology. Why would I want to deprive you of that?]

    The way that I would approach this is 1) confirm that the account you are using to manage AD users has the appropriate permissions. To do this, use command line utilities (ldapmodify, modrdn, ldapadd, etc.) to see if you can achieve the same behavior OUTSIDE of IDM. If you can’t (using the same service account used to configure the LDAP connector), then the problem points to permissions in AD for your service account. If you can, then the problem points to IDM configuration. If it is internal to IDM, then 2) turn up logging verbosity to see what you are passing in the LDAP connection and see if that gleans anything useful. Finally, you can look at the AD logs or if you don’t have access to them, get an AD admin to help. They will often time yield useful information about why the operation was rejected.

    Hope this helps,


Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?