Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]
search cancel

Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]


Article ID: 44105


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On




This document explains how to interpret a Fatal error about an attribute that can not be modified.




If you are receiving the following in Identity Manager then you are trying to modify an attribute that was set as a 'no user modification' meaning that it can not be modified:


Error: Task failed. 

Fatal Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]  




Any Identity Manager version.

Any CA Directory as Corp Store.




See below on that the DX Trace is helping to understand that this attribute is marked 'no-user-modification' - therefore can not be modified:


If your DSA is utilizing DXHOME/config/schema/sunone.dxc schema file, that explains why.

i.e. In this 'sunone.dxc' file, this specific attribute is defined as:

schema set attribute (1.2.840.113556.1.2.102) = {
name = memberOf
ldap-names = memberOf
syntax = distinguishedName
description = "Group that the entry belongs to"

As you can see the presence of 'no-user-modification' is throwing:

! [60] 20160504.153710.774 DIAG : MOD dn="cn=XXXXXX,ou=Users,ou=EXAMPLE,ou=EXAMPLE1,o=gc,c=ca" user="cn=XXXXXXXXXX,ou=Users,ou=EXAMPLE2,ou=EXAMPLE3,o=gc,c=ca" Cannot modify no-user-modification attributes
! [60] mapCacheError(109)
! [60] localAttributeProblem

Followed by:

> [60] invoke-id = 2 credit = 1
> [60] Attribute Error:
> [60] Entry:
> [60] <countryName "ca">
> [60] <organizationName "gc">
> [60] <organizationalUnitName "EXAMPLE1">
> [60] <organizationalUnitName "EXAMPLE2">
> [60] <organizationalUnitName "Users">
> [60] <commonName "XXXXXX">
> [60] Attribute: memberOf
> [60] Problem: Constraint violation
> [60] 
> [60] 
> [60] --> #37 LDAP MESSAGE messageID 2
> [60] ModifyResponse
> [60] resultCode: constraintViolation
> [60] matchedDN: 
> [60] errorMessage: Cannot modify no-user-modification attributes

The actual tell tale sign here is:

> [60] Attribute: memberOf

> [60] Problem: Constraint violation 



Solution :





Additional Information:



Release: CAIDMB99000-12.6.8-Identity Manager-B to B


In General, removing the line "no-user-modification" from the schema's attribute definition will allow users to modify the attribute's values. So, technically you can remove this line and restart your DSA.

But:  It is important to explain here that there are internal attributes to the DSA operation , to the 'dxserver' process. We refer to these attributes as Operational Attributes. These attributes should not be set or overridden by users and should be handled by the dxserver process solely. So, when coming to remove this line, you should make sure you know what you're doing, make sure you understand what this attribute is and whether it is an Operational Attribute. If you are unsure you are welcome to find out in our Communities page or open a Support case. Operational Attributes that have changed to allow user modification are not a practice that we support and certainly not encouraging.