Solutions

Data validation failed error when creating or updating user data store LDAP attributes after upgrading to AM 5.5.2, 6.5.1, 6.5.2.x or 7.x

Last updated Sep 7, 2020

The purpose of this article is to provide assistance if you encounter a "Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server" error in AM when creating or updating the user data store LDAP attributes via ssoadm.

Symptoms

The following error is shown when executing a ssoadm command that updates or creates a data store, for example, update-datastore or create-datastore:

com.sun.identity.cli.CLIException: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server

The following error is shown in the Configuration debug log when this happens:

amCLI:05/08/2019 10:41:29:750 AM BST: Thread[main,5,main]: TransactionId[unknown]
ERROR: CommandManager.<init>
com.sun.identity.cli.CLIException: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server
   at com.sun.identity.cli.datastore.UpdateDataStore.handleRequest(UpdateDataStore.java:111)
   at com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
   at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
   at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
   at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:604)
   at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:186)
   at com.sun.identity.cli.CommandManager.main(CommandManager.java:163)
Caused by: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server
   at com.sun.identity.sm.ServiceSchemaImpl.throwInvalidAttributeValuesException(ServiceSchemaImpl.java:757)
   at com.sun.identity.sm.ServiceSchemaImpl.clientEndAttrValidation(ServiceSchemaImpl.java:691)
   at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:669)
   at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:606)
   at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:354)
   at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:323)
   at com.sun.identity.sm.ServiceConfig.setAttributes(ServiceConfig.java:544)
   at com.sun.identity.cli.datastore.UpdateDataStore.handleRequest(UpdateDataStore.java:92)
   ... 6 more

Recent Changes

Upgraded to AM 5.5.2, or 6.5.1 or later.

Causes

The sun-idrepo-ldapv3-config-ldap-server ssoadm property has been renamed to sun-idrepo-ldapv3-config-ldap-server=[n] to allow the priority order of LDAP servers to be specified. This change occurred as a result of OPENAM-5867 (Data Store LDAP server (admin-ordered) list is reordered by OpenAM).

Previously you could specify multiple servers as follows, but the order in which they were entered was not saved:

sun-idrepo-ldapv3-config-ldap-server=localhost:50389
sun-idrepo-ldapv3-config-ldap-server=example.com:1389

Now you can specify them as follows, which sets the priority order:

sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:50389
sun-idrepo-ldapv3-config-ldap-server=[1]=example.com:1389
Note

The change in property name does not affect Amster or REST because this attribute is already multi-valued, for example:  

"sun-idrepo-ldapv3-config-ldap-server":["localhost:51389","example.com:1389"],

However, the order in which they are specified is now respected.

Solution

This issue can be resolved by updating your ssoadm scripts or commands to use sun-idrepo-ldapv3-config-ldap-server=[0], sun-idrepo-ldapv3-config-ldap-server=[1] and so on, instead of sun-idrepo-ldapv3-config-ldap-server.

See Also

How do I create a user data store in AM/OpenAM (All versions) using ssoadm?

Setup Guide › Identity Stores

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5867 (Data Store LDAP server (admin-ordered) list is reordered by OpenAM)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...