LDAP: error code 21 - Invalid Attribute Syntax

book

Article ID: 182898

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When logging in to CA Identity Portal (IP) the user logs in OK and the page loads but users cannot search for tasks and an error is logged in the CA Identity Manager (IM) server log (error below).

ERROR [ims.llsdk.directory.jndi.searcher] (default task- 32) javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Invalid Attribute Syntax]; remaining name 'ou=people,ou=im,ou=ca,o=com'

Cause

LDAP: error code 21 is a syntax error. This is a user configuration issue.

Environment

Release : 14.3

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

Setting the log level to debug provides further insight into the source of the issue.
 
2020-02-25 21:56:24,484 DEBUG [ims.llsdk.directory.jndi.searcher] (default task-28) FINDOBJECTS FILTER=(pAddress=uid=pefons,ou=People,ou=im,ou=ca,o=com#%$*)
2020-02-25 21:56:24,485 ERROR [ims.llsdk.directory.jndi.searcher] (default task-28) evaluateSearchUnit has naming exception
2020-02-25 21:56:24,485 ERROR [ims.llsdk.directory.jndi.searcher] (default task-28) javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Invalid Attribute Syntax]; remaining name 'ou=people,ou=im,ou=ca,o=com'

The problem occurs when a user attribute (ie %DELEGATORS%) is mapped to an incorrect\ incompatible field (pAddress). Amending the configuration addresses the issue.