Errors similar to the following are shown when the data synchronization to DS fails, where the attribute causing issues in this example is called Team:Caused by: org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - Entry "employeeId=user10,ou=Users,dc=example,dc=com" contains a value "" for attribute Team that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax]; remaining name 'employeeId=user10,ou=Users,dc=example,dc=com' Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - When attempting to modify entry cn=John,ou=People,dc=example,dc=com to replace the set of values for attribute Team, value "" was found to be invalid according to the associated syntax: The operation attempted to assign a zero-length value to an attribute with the directory string syntax]; remaining name 'cn=John,ou=People,dc=example,dc=com'
This error is not seen if the attribute has a value in IDM; it only happens if the attribute has an empty value.
Configured the LDAP connector to synchronize data to DS.
Updated the mapping configuration file (sync.json, located in the /path/to/idm/conf directory).
By default, DS does not allow empty string values (zero-length-values) for attributes that have a syntax of Directory String.
The LDAP result code: 21 is caused by invalid attribute syntax. This error is received when the requested operation failed because it violated the syntax for a specified attribute.
Per RFC 4517 - A zero-length character string is not permitted.
Although it is possible to change the schema for the affected attribute to allow zero-length-values, this is not recommended. You may face issues at any time with other ldap applications that are adhering to the spec.
Related Issue Tracker IDs