Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Attribute value conflicts with the attribute's schema definition on operation error in IDM (All versions)

Last updated Jan 19, 2023

The purpose of this article is to provide assistance if you receive an "Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object" error in IDM when you try to update a boolean attribute in Active Directory® or OpenLDAP. Similar errors occur for CREATE, PUT and PATCH operations.

Symptoms

The following error is shown when you try to update a boolean attribute in Active Directory or OpenLDAP from IDM. Similar errors may display for CREATE, PUT, and PATCH operations.

Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object

An error similar to the following is shown in the IDM log:

FINE: Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException: Malformed 'msNPAllowDialin' attribute value

Recent Changes

N/A

Causes

This error occurs because Active Directory and OpenLDAP are case-sensitive for boolean attributes. These LDAP target resources usually require uppercase TRUE and FALSE for boolean attributes, whereas JSON requires lowercase true and false.

Solution

This issue can be resolved as follows:

  1. Configure the boolean attribute as a string in the LDAP provisioner configuration file (for example, provisioner.openicf-ldap.json located in the /path/to/idm/conf directory). For example: "msNPAllowDialin": { "type": "string", "nativeName": "msNPAllowDialin", "nativeType": "string" },
  2. Use a script to set the attribute value with an uppercase string of TRUE or FALSE. For example: openidm.patch("system/ad/account/" + id,null,[{"operation":"replace","field":"/msNPAllowDialin","value":"TRUE"}]);Example result returned (with irrelevant attributes removed): ​{
 "fromEntry": "TRUE",
 "passwordNotRequired": false,
 "msNPAllowDialin": "TRUE",
 "passwordExpired": false,
 "lockOut": false,
 "isActive": true,
 "smartcardRequired": false }
Note

Some Active Directory attributes such as isActive are, by default, configured as boolean and can be updated using lowercase true and false. This is because these attributes are actually userAccountControl flags, but are displayed as booleans by the connector. See How do I use the LDAP connector in IDM (All versions) to update the ENABLE property in Active Directory? for further information.

See Also

How do I use the LDAP connector in IDM/OpenIDM (All versions) to update the ENABLE property in Active Directory?

Scripting Function Reference

Scripting

Section 3.3.3 of RFC 4517

Section 3 of RFC 7159

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.