AD Driver - LDAP Error code 80 LDAP_OTHER Server Error 00000523 SysErr DSID-031A1202 problem 22

  • 7017077
  • 11-Dec-2015
  • 11-Dec-2015

Environment


NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Active Directory

Situation

The following error is received when trying to submit a user add operation to AD.   Modify operations complete successfully.

[12/10/15 07:08:06.655]:AD :Remote Interface Driver: Received.
[12/10/15 07:08:06.656]:AD :
<nds dtdversion="1.1" ndsversion="8.7">
  <source>
    <product asn1id="" build="20130305_120000" instance="\NOVELLTEST\NOVELL\SERVICES\DriverSet\TEST-AD" version="4.0.0.1">AD</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status event-id="ADMIDM01WS-NDS#20151210160805#1#1:dc1c064d-fb85-4645-a6cc-17ebf6044d66" level="error" type="driver-general">
      <ldap-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">
        <client-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">Other</client-err>
        <server-err>00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
</server-err>
        <server-err-ex win32-rc="1315"/>
      </ldap-err>
    </status>
  </output>
</nds>

Resolution

Verify that all attributes in the submitted XML comply with AD schema constraints.

In this particular issue DirXML-ADAliasName was being mapped to samAccountName in the schema mapping policy, and the value in DirXML-ADAliasName exceeded the 20 charactor limit for samAccountName, per AD schema.   Thus it threw an error back.

In a default Active Directory driver,  DirXML-ADAliasName is mapped to userPrincipalName (no size limit), and CN is mapped to samAccountName.

Cause

Submitted XML document contained a value in samAccountName that exceeded the 20 charactor limit, per Active Directory schema.

[12/10/15 07:08:07.241]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
  <source>
    <product edition="Standard" version="4.0.2.7">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <add cached-time="20151210160805.391Z" class-name="user" dest-dn="CN=testuser1,OU=Test,dc=lab,dc=novell,dc=com" event-id="ADMIDM01WS-NDS#20151210160805#1#2:0cb875c1-99f9-4bbf-935b-88a86cd0e7f5" qualified-src-dn="O=NOVELL\OU=USERS\CN=testuser1" src-dn="\NOVELL\NOVELL\USERS\testuser1" src-entry-id="72255" timestamp="0#0">
      <add-attr attr-name="displayName">
        <value timestamp="1449689728#6" type="string">Test User1</value>
      </add-attr>
      <add-attr attr-name="givenName">
        <value timestamp="1449689728#4" type="string">Test</value>
      </add-attr>
      <add-attr attr-name="physicalDeliveryOfficeName">
        <value timestamp="1449694038#2" type="string">LAB</value>
      </add-attr>
      <add-attr attr-name="sn">
        <value timestamp="1449689728#3" type="string">User1</value>
      </add-attr>
      <add-attr attr-name="samAccountName">
        <value type="string">testuser1@lab.novell.com</value>
      </add-attr>
      <add-attr attr-name="userPrincipalName">
        <value type="string">testuser1</value>
      </add-attr>
      <add-attr attr-name="dirxml-uACAccountDisable">
        <value type="string">false</value>
      </add-attr>
      <add-attr attr-name="samAccountName">
        <value>testuser1@lab.novell.com</value>
      </add-attr>
      <add-attr attr-name="userPrincipalName">
        <value>testuser1</value>
      </add-attr>
      <add-attr attr-name="homeMDB">
        <value type="string"/>
      </add-attr>
      <add-attr attr-name="mailNickname">
        <value type="string">testuser1</value>
      </add-attr>
      <password><!-- content suppressed --></password>
    </add>
  </input>
</nds>

Feedback service temporarily unavailable. For content questions or problems, please contact Support.