Data validation failed error when creating or updating user data store LDAP attributes after upgrading to AM 6.5.1 or 6.5.2.x
The purpose of this article is to provide assistance if you encounter a "Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server" error in AM when creating or updating the user data store LDAP attributes via ssoadm.
Symptoms
The following error is shown when executing a ssoadm command that updates or creates a data store, for example, update-datastore or create-datastore:
com.sun.identity.cli.CLIException: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server
The following error is shown in the Configuration debug log when this happens:
amCLI:05/08/2019 10:41:29:750 AM BST: Thread[main,5,main]: TransactionId[unknown]
ERROR: CommandManager.<init>
com.sun.identity.cli.CLIException: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server
at com.sun.identity.cli.datastore.UpdateDataStore.handleRequest(UpdateDataStore.java:111)
at com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:604)
at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:186)
at com.sun.identity.cli.CommandManager.main(CommandManager.java:163)
Caused by: Message:Data validation failed for the attribute, sun-idrepo-ldapv3-config-ldap-server
at com.sun.identity.sm.ServiceSchemaImpl.throwInvalidAttributeValuesException(ServiceSchemaImpl.java:757)
at com.sun.identity.sm.ServiceSchemaImpl.clientEndAttrValidation(ServiceSchemaImpl.java:691)
at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:669)
at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:606)
at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:354)
at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:323)
at com.sun.identity.sm.ServiceConfig.setAttributes(ServiceConfig.java:544)
at com.sun.identity.cli.datastore.UpdateDataStore.handleRequest(UpdateDataStore.java:92)
... 6 more
Recent Changes
Upgraded to AM 6.5.1 or later.
Causes
The sun-idrepo-ldapv3-config-ldap-server ssoadm property has been renamed to sun-idrepo-ldapv3-config-ldap-server=[n] to allow the priority order of LDAP servers to be specified. This change occurred as a result of OPENAM-5867 (Data Store LDAP server (admin-ordered) list is reordered by OpenAM).
Previously you could specify multiple servers as follows, but the order in which they were entered was not saved:
sun-idrepo-ldapv3-config-ldap-server=localhost:50389 sun-idrepo-ldapv3-config-ldap-server=example.com:1389
Now you can specify them as follows, which sets the priority order:
sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:50389 sun-idrepo-ldapv3-config-ldap-server=[1]=example.com:1389
Note
The change in property name does not affect Amster or REST because this attribute is already multi-valued, for example:
"sun-idrepo-ldapv3-config-ldap-server":["localhost:51389","example.com:1389"],
However, the order in which they are specified is now respected.
Solution
This issue can be resolved by updating your ssoadm scripts or commands to use sun-idrepo-ldapv3-config-ldap-server=[0], sun-idrepo-ldapv3-config-ldap-server=[1] and so on, instead of sun-idrepo-ldapv3-config-ldap-server.
See Also
How do I create a user data store in AM/OpenAM (All versions) using ssoadm?
Setup and Maintenance Guide › Setting Up Identity Data Stores
Related Training
N/A
Related Issue Tracker IDs
OPENAM-5867 (Data Store LDAP server (admin-ordered) list is reordered by OpenAM)