Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Synchronization fails in IDM (All versions) for attributes that are zero-length or have an empty or null value

Last updated Feb 27, 2023

The purpose of this article is to provide assistance if you encounter LDAP: error code 21 exceptions in IDM when syncing data to DS and see errors relating to invalid attribute values according to the syntax, where the attribute has a zero-length value, or an empty or null value. Common errors seen include: "The operation attempted to assign a zero-length value to an attribute with the directory string syntax" or "The provided value is not a valid telephone number because it is empty or null".

Symptoms

Data synchronization to DS fails and you see LDAP: error code 21 exceptions. This can happen for most syntaxes but commonly affects Directory String and Telephone Number as shown in these example IDM log entries (for an attribute called Attribute1):

  • Directory String syntax:Caused by: org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Entry "employeeId=user10,ou=Users,dc=example,dc=com" contains a value "" for attribute Attribute1 that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax]; remaining name 'employeeId=user10,ou=Users,dc=example,dc=com' Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - When attempting to modify entry cn=John,ou=People,dc=example,dc=com to replace the set of values for attribute Attribute1, value "" was found to be invalid according to the associated syntax: The operation attempted to assign a zero-length value to an attribute with the directory string syntax]; remaining name 'cn=John,ou=People,dc=example,dc=com'
  • Telephone Number syntax:Caused by: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException: [LDAP: error code 21 - When attempting to modify entry employeeId=user10,ou=Users,dc=example,dc=com to replace the set of values for attribute Attribute1, value \"\" was found to be invalid according to the associated syntax: The provided value is not a valid telephone number because it is empty or null] Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Entry "uid=jdoe,dc=example,dc=com" contains a value "" for attribute Attribute1 that is invalid according to the syntax for that attribute: The provided value is not a valid telephone number because it is empty or null]; remaining name 'uid=jdoe,dc=example,dc=com'

These errors are not seen if the attribute has a value in IDM; it only happens if the attribute has an empty value.

You will see similar errors in the DS Access logs when this happens, for example:

  • Directory String syntax:{"eventName":"DJ-LDAP","client":{"ip":"198.51.100.0","port":8443},"server":{"ip":"198.51.100.0","port":1636},"request":{"protocol":"LDAPS","operation":"ADD","connId":291,"msgId":47,"dn":"uid=jdoe,ou=People,ou=employees,dc=example,dc=com"},"transactionId":"0","response":{"status":"FAILED","statusCode":"21","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"Entry uid=jdoe,ou=People,ou=employees,dc=example,dc=com contains a value "" for attribute Attribute1 that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax"},"timestamp":"2021-08-08T14:22:43.683Z","_id":"c2a5dbd3-4960-b7d2-96e2-20370bf25b31-737"}
  • Telephone Number syntax:{"eventName":"DJ-LDAP","client":{"ip":"198.51.100.0","port":8443},"server":{"ip":"198.51.100.0","port":1636},"request":{"protocol":"LDAPS","operation":"MODIFY","connId":2131,"msgId":47,"dn":"uid=jdoe,ou=People,ou=employees,dc=example,dc=com"},"transactionId":"0","response":{"status":"FAILED","statusCode":"21","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"When attempting to modify entry uid=jdoe,ou=People,ou=employees,dc=example,dc=com to replace the set of values for attribute Attribute1, value \"\" was found to be invalid according to the associated syntax: The provided value is not a valid telephone number because it is empty or null"},"timestamp":"2021-08-08T14:22:43.683Z","_id":"c2a5dbd3-4960-b7d2-96e2-20370bf25b31-737"}

Recent Changes

Configured the LDAP connector to synchronize data to DS.

Updated the mapping configuration file (sync.json, located in the /path/to/idm/conf directory).

Causes

By default, DS does not allow empty string values (zero-length-values) for most syntaxes. Notably, this applies to attributes that have a syntax of Directory String (per the RFC 4517 standard - A zero-length character string is not permitted) but this is also true of attributes with most other syntaxes (excluding IA5String and DN). See Syntaxes for further information.

The LDAP result code: 21 is caused by an invalid attribute syntax. This error is received when the requested operation failed because it violated the syntax for a specified attribute.

Note

Although it is possible to change the schema for attributes with a syntax of Directory String to allow zero-length-values, it is not recommended. Permitting empty string values is against the standard and may cause issues with other systems that do implement the LDAP standard correctly.

Solution

You can resolve this issue by adding a transform script to the sync.json file for any affected attributes to allow empty string values to be stored as null values.

For example, the following simple transform script checks if the source property has an empty string value, and if so, sets the target property value to null. If the value is not empty, then the target property value is updated to match the source property value:

{      "source" : "Attribute1",       "target" : "Attribute1",        "transform" : {           "type" : "text/javascript",           "source" : "if(source.ATTRIBUTE1 === ""){value = null} else{value = source.ATTRIBUTE1}"       } },

This transform script has been included in the sync.json file; alternatively, you could include this transform script in a separate file and call the file from sync.json instead, for example:

{      "source" : "Attribute1",       "target" : "Attribute1",        "transform" : {           "type" : "text/javascript",           "file" : "script/DirectoryStringTransform.js"       } },

See Also

How do I update attributes stored in arrays in IDM (All versions) using JavaScript?

How do I provision external accounts in a pre-defined order in IDM (All versions)?

Transform attributes using a mapping

Connections between resources

Invalid attribute syntax

Syntaxes

RFC 4517: Directory String

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.