Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Reconciliation fails in IDM (All versions) when an entry has a multi-value attribute that has been defined as a single value attribute

Last updated Apr 8, 2021

The purpose of this article is to provide assistance when reconciliation fails in IDM when an entry has an attribute with more than one value but that entry has been defined as a single value attribute in the provisioner configuration.


Symptoms

An error similar to the following is shown when reconciliation fails, where the attribute causing the issue in this example is mail:

2020-10-04 16:22:38:120 WARN Incorrect schema configuration. Expecting mail attribute to be single but it has multi value. [AttributeInfoHelper]Failed to read target object org.forgerock.json.resource.ConflictException: The mail attribute is not single value attribute.   at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:230)    at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService$ObjectClassResourceProvider.handleRead(OpenICFProvisionerService.java:1509)    at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService$ObjectClassRequestHandler.handleRead(OpenICFProvisionerService.java:1048)

Similarly, an attempt to sync using a REST call results in the following response:

{"code":409,"reason":"Conflict","message":"Synchronization failed"}

Recent Changes

N/A

Causes

The reconciliation process is expecting a single value attribute per the provisioner configuration. The presence of an entry with a multi-valued attribute causes the entire reconciliation process to fail with an error.

Solution

This issue can be resolved as follows:

  1. Update the provisioner configuration file (for example, provisioner.openicf-ldap.json in the /path/to/idm/conf directory) to define the affected attribute as an array to allow multiple values. For example, you would change the definition of the mail attribute to the following to make it an array: "mail" : {                    "type" : "array",                     "items" : {                         "type" : "string",                         "nativeType" : "string"                     },                     "nativeName" : "mail",                     "nativeType" : "string"                 },
  2. Make changes to the target system to recognize the updated attribute; you can use one of the following approaches:
    • Update the target system to make the attribute an array as well.
    • Add a transformation script to the mapping if the attribute should remain single valued in the target system; there are various ways to do this depending on the desired behavior. For example: {                    "source" : "mail",                     "target" : "mail",                     "transform" : {                         "type" : "text/javascript",                         "globals" : { },                         "source" : "source.length == 1 ? source[0] : source"                     }                 }This script checks if the source array contains exactly one item, and if so, it returns this item as source[0]; otherwise the script returns an array. If the attribute is configured as single valued in the target system, it will cause an exception when an array is passed to it and reconciliation of the entry will fail. The rest of the reconciliation will proceed however. Note that this script example will fail the reconciliation of an item for which the source attribute is an empty array, additional handling for that case may be required. The reverse mapping is rather simple, all it takes is to package the single valued attribute in an array: {                    "source" : "mail",                     "target" : "mail",                     "transform" : {                         "type" : "text/javascript",                         "globals" : { },                         "source" : "[source]"                     }                 }See Synchronization Guide › Transform Attributes in a Mappingfor further information.

See Also

Synchronization in IDM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.