Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]
search cancel

Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]

book

Article ID: 44105

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Introduction:

 

This document explains how to interpret a Fatal error about an attribute that can not be modified.

 

Background:

 

If you are receiving the following in Identity Manager then you are trying to modify an attribute that was set as a 'no user modification' meaning that it can not be modified:

 

Error: Task failed. 

Fatal Fatal: SmApiWrappedException:[LDAP: error code 19 - Cannot modify no-user-modification attributes]  

 

Environment:

 

Any Identity Manager version.

Any CA Directory as Corp Store.

 

 

Instructions: 

See below on that the DX Trace is helping to understand that this attribute is marked 'no-user-modification' - therefore can not be modified:

 

If your DSA is utilizing DXHOME/config/schema/sunone.dxc schema file, that explains why.


i.e. In this 'sunone.dxc' file, this specific attribute is defined as:

schema set attribute (1.2.840.113556.1.2.102) = {
name = memberOf
ldap-names = memberOf
syntax = distinguishedName
no-user-modification
description = "Group that the entry belongs to"
};

As you can see the presence of 'no-user-modification' is throwing:

! [60] 20160504.153710.774 DIAG : MOD dn="cn=XXXXXX,ou=Users,ou=EXAMPLE,ou=EXAMPLE1,o=gc,c=ca" user="cn=XXXXXXXXXX,ou=Users,ou=EXAMPLE2,ou=EXAMPLE3,o=gc,c=ca" Cannot modify no-user-modification attributes
! [60] mapCacheError(109)
! [60] localAttributeProblem


Followed by:

> [60] -> #36 LDAP MOD-ENTRY-REFUSE
> [60] invoke-id = 2 credit = 1
> [60] Attribute Error:
> [60] Entry:
> [60] <countryName "ca">
> [60] <organizationName "gc">
> [60] <organizationalUnitName "EXAMPLE1">
> [60] <organizationalUnitName "EXAMPLE2">
> [60] <organizationalUnitName "Users">
> [60] <commonName "XXXXXX">
> [60] Attribute: memberOf
> [60] Problem: Constraint violation
> [60] 
> [60] 
> [60] --> #37 LDAP MESSAGE messageID 2
> [60] ModifyResponse
> [60] resultCode: constraintViolation
> [60] matchedDN: 
> [60] errorMessage: Cannot modify no-user-modification attributes


The actual tell tale sign here is:

> [60] Attribute: memberOf

> [60] Problem: Constraint violation 

 

 

Solution :

 

 

 

 

Additional Information:

None. 

Environment

Release: CAIDMB99000-12.6.8-Identity Manager-B to B
Component:

Resolution

In General, removing the line "no-user-modification" from the schema's attribute definition will allow users to modify the attribute's values. So, technically you can remove this line and restart your DSA.

But:  It is important to explain here that there are internal attributes to the DSA operation , to the 'dxserver' process. We refer to these attributes as Operational Attributes. These attributes should not be set or overridden by users and should be handled by the dxserver process solely. So, when coming to remove this line, you should make sure you know what you're doing, make sure you understand what this attribute is and whether it is an Operational Attribute. If you are unsure you are welcome to find out in our Communities page or open a Support case. Operational Attributes that have changed to allow user modification are not a practice that we support and certainly not encouraging.

Powered by Wolken Software