go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » LDAP Model, Schema & LDIF » Schema Checking Error Database: Why and How an LDAP Entry Went Wrong
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: Schema Checking Error Database: Why and How an LDAP Entry Went Wrong
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 08/10/2006 03:09:16 AM    Edit  |   Quote  |   Report 
Schema Checking Error Database: Why and How an LDAP Entry Went Wrong
I'm trying to list as much as possible wrong cases as to checking against schema in this thread. Any inputs are welcome and helpful for those who come across the same errors.

The servers used in this testing are Microsoft Active Directory Server and SunOne Directory Server. The client is a simple JNDI LDAP ADD application as shown below.


/**
 * Sample JNDI client ADD application to demonstrate how to create a new entry
 */
 
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class JNDI_Add 
{
    public static void main(String[] args)
    {
    	Hashtable env = new Hashtable();
    	env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
    	env.put(Context.PROVIDER_URL, "ldap://myserver.mydomain.com:389");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "cn=directory manager");
        env.put(Context.SECURITY_CREDENTIALS, "mypassword");
        
	try {
 
	    // Create the initial context
	    DirContext ctx = new InitialDirContext(env);
	    
	    // The distinguished name of the new entry
	    String dn = "cn=Joe Smith,cn=users,dc=mydomain,dc=com";

	    // Create attributes to be associated with the new entry
	    Attributes attrs = new BasicAttributes(true);

	    // Objectclass -- required in MUST list
	    Attribute oc = new BasicAttribute("objectclass"); // required by 'top'
	    oc.add("top");
	    oc.add("person");
	    oc.add("organizationalPerson");
	    oc.add("inetOrgPerson");
	    attrs.put(oc);

	    // Other mandatory attributes -- required in MUST list
	    attrs.put("cn", "Joe Smith");  // required by 'person'
	    attrs.put("sn", "Smith");      // required by 'person'
 
	    // Optional attributes -- but they must be defined in schema
            attrs.put("givenName","Joe");
	    attrs.put("mail","jsmith@mydomain.com");
	    attrs.put("employeeNumber","999-99-9999");
			
	    // Other optional attributes -- but they are defined in schema as alias
	    attrs.put("locality", "San Jose"); /*does not work for AD*/
			
	    // Create the context
	    Context result = ctx.createSubcontext(dn, attrs);
 
	    // Close the contexts when we're done
	    result.close();
	    ctx.close();

	}catch(NamingException e){
            e.printStackTrace();
	}
    }
}


++++++++++++++++++++++++++++++++++
+
+ Test Run #1: Undefined Attribute Type (ssn)
+
++++++++++++++++++++++++++++++++++

dn: cn=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe Smith
sn: Smith
givenname: Joe
mail: bsmith@mydomain.com
ssn: 999-99-9999


-- Results From AD --
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3009)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


-- Results From SunOne --
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


Why
  • The entry's attribute type 'ssn' is neither defined in the MUST list nor in the MAY list of its all object classes. That's why AD and SunOne both forbid it being added, even though the error code is different (error code 16 from AD whereas 65 from SunOne).



    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/10/2006 03:24:56 AM    Edit  |   Quote  |   Report 
    SchemaViolationException: Missing Required Attribute Type

    ++++++++++++++++++++++++++++++++++
    +
    + Test Run #2: Missing Required Attribute Type (sn)
    +
    ++++++++++++++++++++++++++++++++++

    dn: cn=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe Smith
givenname: Joe
mail: bsmith@mydomain.com


    -- Results From AD --
    OK

    -- Results From SunOne --
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    Why
  • The entry's attribute type 'sn' is specified in the MUST list of object class 'person' and thereafter it is required. That's why SunOne forbid it being added. It seems that AD does not care about the MUST list.

    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/10/2006 03:37:37 AM    Edit  |   Quote  |   Report 
    InvalidAttributeValueException: SINGLE-VALUEd attribute type

    ++++++++++++++++++++++++++++++++++
    +
    + Test Run #3: Attribute Value: SINGLE-VALUE
    +
    ++++++++++++++++++++++++++++++++++

    dn: cn=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe Smith
sn: Smith
givenname: Joe
mail: bsmith@mydomain.com
employeeNumber: 123-45-6789
employeeNumber: 999-99-9999


    -- Results From AD --
    javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002081: AtrErr: DSID-03151122, #1:
    0: 00002081: DSID-03151122, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20262 (employeeNumber)]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    -- Results From SunOne --
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    Why
  • The entry's attribute type 'employeenumber' is defined as SINGLE-VALUE in the schema and thereafter it cannot bear more than one value. That's why AD and SunOne both forbid it being added with '123-45-6789' and '999-99-9999' as employeenumber's values.


    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/10/2006 03:50:01 AM    Edit  |   Quote  |   Report 
    InvalidAttributeValueException: Unknown Attribute Type Used in RDN

    ++++++++++++++++++++++++++++++++++
    +
    + Test Run #4: Unknown Attribute Type Used in RDN
    +
    ++++++++++++++++++++++++++++++++++

    dn: rdn_type=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe Smith
sn: Smith
givenname: Joe
mail: bsmith@mydomain.com


    -- Results From AD --
    javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece]; remaining name 'rdn_type=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3009)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    -- Results From SunOne --
    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'rdn_type=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    Why
  • The entry's attribute type 'rdn_type' is used as the RDN label but it's not defined in the schema. That's why AD and SunOne both forbid it being added.



    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/10/2006 04:04:06 AM    Edit  |   Quote  |   Report 
    javax.naming.InvalidNameException: Unknown Attribute Value Used in RDN
    ++++++++++++++++++++++++++++++++++
    +
    + Test Run #5: Unknown Attribute Value Used in RDN
    +
    ++++++++++++++++++++++++++++++++++

    dn: cn=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe_Smith
sn: Smith
givenname: Joe
mail: bsmith@mydomain.com


    -- Results From AD --
    javax.naming.InvalidNameException: cn=Joe Smith,cn=users,dc=mydomain,dc=com: [LDAP: error code 34 - 00002081: NameErr: DSID-03050AE0, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
    'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2926)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    -- Results From SunOne --
    OK with the following extra value being added:
    cn: Joe Smith


    Why
  • The value 'Joe Smith' used in RDN does not match what goes with 'cn', i.e. 'Joe_Smith'. That's why AD forbid it being added. But SunOne let it go through with 'Joe Smith' being automatically inserted as another value of 'cn'.


    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/10/2006 04:22:09 AM    Edit  |   Quote  |   Report 
    NoSuchAttributeException: Alias of Attribute Type Not Found
    ++++++++++++++++++++++++++++++++++
    +
    + Test Run #6: Alias of Attribute Type
    +
    ++++++++++++++++++++++++++++++++++

    dn: cn=Joe Smith,cn=users,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Joe Smith
surName: Smith
givenname: Joe
mail: bsmith@mydomain.com


    -- Results From AD --
    javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece]; remaining name 'cn=Joe Smith,cn=users,dc=mydomain,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3009)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)


    -- Results From SunOne --
    OK with the following value being added instead:
    sn: Smith


    Why
  • The entry's attribute type 'surName' is neither defined in the MUST list nor in the MAY list of its all object classes. That's why AD forbids it being added. But SunOne seems to be much smarter by figuring out that 'surName' is actually the alias of 'sn' and going one step further by transferring 'surName' to 'sn' while adding it.


    •  Profile | Reply Points Earned: 0
    singularity
    member
    offline   
     
    posts:
    joined: 05/12/2009
    from: CA
      posted on: 05/25/2009 07:27:49 AM    Edit  |   Quote  |   Report 
    I am unable to add an entry, what is wrong with the code.
    import javax.naming.*;
    import javax.naming.directory.*;
    import java.util.Hashtable;

    public class JNDI_Add {
    public static void main(String args[]) {
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://localhost:389/cn=Manager,dc=test,dc=com");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, "cn=Manager,dc=test,dc=com");
    env.put(Context.SECURITY_CREDENTIALS, "openldap");
    try {
    //create an initial context
    DirContext ctx = new InitialDirContext(env);
    //Th distinguished name of the new entry
    String dn = "cn=Manager,dc=test,dc=com";
    //create an attribute to be associated with this new entry
    Attributes attrs = new BasicAttributes(true);
    //ObjectClass Required in must List
    Attribute oc = new BasicAttribute("objectClass"); //required by top
    oc.add("top");
    oc.add("person");
    oc.add("inetOrgPerson");
    attrs.put(oc);
    //Other Mandatory Attributes
    attrs.put("cn", "Manager"); //required by Person
    attrs.put("sn", "Smith2"); //required by person
    //optional Attributes
    attrs.put("mail","jsmith2@test.com");
    //Create the Context
    Context result = ctx.createSubcontext(dn, attrs);
    //Close the context when we are done
    result.close();
    ctx.close();

    } catch (NamingException e) {
    e.printStackTrace();
    }
    }

    }
     Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 05/27/2009 01:05:45 PM    Edit  |   Quote  |   Report 
    Entry MUST NOT exist for the AddRequest to succeed.
    Hi singularity,

    Next time when you post source code you can wrap it with [code] ... [/code] so that it appears more readiable.

    Could you please post your error messages thrown from the exception? But for the code you given, the problem is obvious: the entry "cn=Manager,dc=test,dc=com" you tried to add was already there.

    Regards,
    eLDAP


     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.