ISW (DSEE 6.0) LDAP error 65
Hey all,
We have ID-Sync for Windows installed and connected to our test AD and test DSEE instance. Everything appears to be configured correctly, the idsync resync command shows that data is being read and that accounts are connected, but the ISW attributes in the LDAP (destinationIndicator, the dspsw* attrs) are always blank.
One the account that I am using to test with, there are always LDAP error 65 messages in the LDAP log for the "bannerID" (an internal attr that we use, similar to an employee ID) whenever ISW tries to access the account. The ACL for the ISW service account allows full read/write access for the entire subtree, and this is the only app or account that has trouble with this attribute.
Has anyone else seen this error, or does anyone have any input as to what might be causing this error?
[842 byte] By [
mckinga] at [2007-11-27 7:14:52]
# 1
Error code 65 means an objectclass violation.
Something is trying to modify the bannerID in a way that would step outside of objectclass rules.
Questions to ask yourself:
- Is the bannerID a required attribute?
- Is the app trying to remove (delete) the bannerID attribute from an entry?
- Is the app trying to add an entry without a bannerID attribute?
# 2
Digging through the logs, I see these errors on the LDAP connector:
[12/Jun/2007:14:12:16.860 -0500] FINE335 CNN101 dsdev "LDAP Modify Request: [REPLACE dspswuserlink: yG+lkU1n1k+xRt
Qkx3xPnw==] [REPLACE dspswvalidate: true] [REPLACE objectclass: dspswuser, inetOrgPerson] [REPLACE dspswloop: true] [REP
LACE dspswloop: ] "
[12/Jun/2007:14:12:16.868 -0500] FINE335 CNN101 dsdev "LDAP operation on entry uid=aax328,ou=People,dc=utsa,dc=edu
failed at ldap://dsdev:1389, error(65): Object class violation." (Action ID=CNN100-112DF11532B-24754, SN=9)
[12/Jun/2007:14:12:16.871 -0500] SEVERE 335 CNN101 dsdev "LDAP modify operation of entry uid=aax328,ou=People,dc=utsa
,dc=edu failed at null. Error code: 65, reason: null" (Action ID=CNN100-112DF11532B-24754, SN=10)
This leads me to think that the LDAP connector is intentionally trying to replace the entire list of objectclasses that an object belongs to with the two objectclasses "dpswsuser" and "inetOrgPerson". I can see adding the "dspswuser" objectclass if it doesn't exist, in order to make sure that the dspsw attrs are available on every object (not the most elegant way, but...OK), but completely replacing all objectclasses?
We have 2 objectclasses that extend upon inetOrgPerson, a custom internal one, and the eduPerson schema from EduCause. I have hunted through the documentation and the config GUI for ISW, and I can not find anywhere where this is mentioned.
