LDAP Error Code 21: Invalid Attribute Syntax in CA Identity Portal
search cancel

LDAP Error Code 21: Invalid Attribute Syntax in CA Identity Portal

book

Article ID: 182898

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When logging into CA Identity Portal (IP), the login succeeds and the page loads, but users cannot search for tasks. The following error is recorded in the CA Identity Manager (IM) server logs:

 21:56:24,484 DEBUG [ims.llsdk.directory.jndi.searcher] (default task-28) FINDOBJECTS FILTER=(pAddress=uid=pefons,ou=People,ou=im,ou=ca,o=com#%$*)
 21:56:24,485 ERROR [ims.llsdk.directory.jndi.searcher] (default task-28) evaluateSearchUnit has naming exception
 21:56:24,485 ERROR [ims.llsdk.directory.jndi.searcher] (default task-28) javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Invalid Attribute Syntax]; remaining name 'ou=people,ou=im,ou=ca,o=com'

Environment

Product: CA Identity Suite (Virtual Appliance)

Release: 14.x, v15

Component: CA Identity Portal, CA Identity Manager

Cause

LDAP error code 21 is a syntax error indicating that a value being sent to the directory does not match the syntax defined for that attribute in the schema. This typically occurs when a CA Identity Manager user attribute (e.g., %DELEGATORS%) is incorrectly mapped to an incompatible or non-existent physical attribute in the LDAP user store (e.g., pAddress).

Resolution

You can enable debugging temporarily without a restart using the logging_v2.jsp page.

http://<im_server>:<port>/iam/im/logging_v2.jsp

  1. Locate the following category: ims.llsdk.directory.jndi
  2. Set the log level to DEBUG.
  3. Click Update at the bottom of the page.
    • Note: In a clustered environment, repeat these steps for each node.

Reproduce the search error and check the server.log. Look for the _FINDOBJECTS FILTER line immediately preceding the error:

DEBUG [ims.llsdk.directory.jndi.searcher] (default task-28) _FINDOBJECTS FILTER=(pAddress=uid=user1,ou=People,ou=im,ou=ca,o=com#%$*)ERROR [ims.llsdk.directory.jndi.searcher] (default task-28) javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Invalid Attribute Syntax]

The filter reveals which physical attribute (e.g., pAddress) is receiving the invalid data.

We see the problem occurs when a user attribute (ie %DELEGATORS%) is mapped to an incorrect\ incompatible field (pAddress).

Correct the Mapping

  1. In the Identity Manager Management Console, navigate to Directories > [Your Directory] > Export.
  2. Open the directory.xml file.
  3. Locate the attribute identified in Step 2.
  4. Ensure the well-known attribute mapping matches the correct physical attribute in your LDAP store.
  5. If the mapping is incorrect, update the directory.xml, save it, and Update the directory configuration in the Management Console.
Powered by Wolken Software