Unable to create new users in CA Identity Manager due to LDAP: error code 65 - Object Class Violation

book

Article ID: 8361

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

You have an environment with a CA Directory corporate user store, and that user store has custom CA Directory object classes attached to your users. When creating a user in Identity Manager you're providing all of the required attributes for all of your object classes but you're still seeing the following error on screen:

 

Failed to execute CreateUserEvent. ERROR MESSAGE: [LDAP: error code 65 - Object Class Violation] Failed

 

However you are NOT seeing any errors in your CA Directory log during user creation, it does not appear that the user is making it down to CA Directory at all. 

Cause

In your Identity Manager Management Console under Directories -> Corporate User Store, your user object only has inetOrgPerson listed under Object Classes. 

 

Environment

Identity Manager 14.x

Resolution

In your Management Console, export your Corporate User Store Directory.xml file. In the file should be a line that looks similar to this: 

<ImsManagedObject name="User" description="My Users" objectclass="top,imUser" pagesize="0" maxrows="0" objecttype="USER">

 

Add your additional custom classes to this line as follows, I added myClass1 and myClass2: 

<ImsManagedObject name="User" description="My Users" objectclass="top,imUser,imUserAux" pagesize="0" maxrows="0" objecttype="USER">

 

Save the file and reimport it into the environment using the update button, after that the UserStore will be displayed as follow in the Identity Manager Management Console

 

Now you need to edit the LDIF file to add the new objectclass imUserAux to each user in your LDIF file

Below are the steps to dump, edit and load the LDIF file

- Dump the userStore ldif 

- Add "objectClass: imUserAux" to all user

- Stop userStore dsa

- Load the userStore ldif file

- Start userStore dsa

 

For example:

The imadmin user before changing:

dn: uid=imadmin,ou=people,ou=im,ou=ca,o=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: imUser

 

The imadmin user after adding 

dn: uid=imadmin,ou=people,ou=im,ou=ca,o=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: imUser
objectClass: imUserAux

If you are using Virtual Appliance below are the steps to dump the UserStore

From vApp

> su - dsa

> cd bin

> dxserver stop UserStore_userstore-01

> dxdumpdb -f UserStore.ldif UserStore_userstore-01

> At this point edit the UserStore.ldif file, and add the "objectClass: imUserAux" line as shown above

> dxloaddb UserStore_userstore-01 UserStore.ldif

> dxserver start UserStore_userstore-01

 

 

Do the same for dsaadmin as described in the link below, see "Update objectClass Attributes for Users in CA Identity Manager User Store Data" section

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-2/configuring/extending-the-user-store-with-imuseraux-object-class.html

 

Additional Information

Extending the User Store with imUserAux Object Class

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-2/configuring/extending-the-user-store-with-imuseraux-object-class.html

Attachments