Attribute value conflicts with the attribute's schema definition on operation error in IDM (All versions)
The purpose of this article is to provide assistance if you receive an "Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object" error in IDM when you try to update a boolean attribute in Active Directory® or OpenLDAP. Similar errors occur for CREATE, PUT and PATCH operations.
Symptoms
The following error is shown when you try to update a boolean attribute in Active Directory or OpenLDAP from IDM. Similar errors may display for CREATE, PUT, and PATCH operations.
Attribute value conflicts with the attribute's schema definition on operation UPDATE for system objectAn error similar to the following is shown in the IDM log:
FINE: Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException: Malformed 'msNPAllowDialin' attribute valueRecent Changes
N/A
Causes
This error occurs because Active Directory and OpenLDAP are case-sensitive for boolean attributes. These LDAP target resources usually require uppercase TRUE and FALSE for boolean attributes, whereas JSON requires lowercase true and false.
Solution
This issue can be resolved as follows:
- Configure the boolean attribute as a string in the LDAP provisioner configuration file (for example, provisioner.openicf-ldap.json located in the /path/to/idm/conf directory). For example: "msNPAllowDialin": { "type": "string", "nativeName": "msNPAllowDialin", "nativeType": "string" },
- Use a script to set the attribute value with an uppercase string of TRUE or FALSE. For example: openidm.patch("system/ad/account/" + id,null,[{"operation":"replace","field":"/msNPAllowDialin","value":"TRUE"}]);Example result returned (with irrelevant attributes removed): { "fromEntry": "TRUE", "passwordNotRequired": false, "msNPAllowDialin": "TRUE", "passwordExpired": false, "lockOut": false, "isActive": true, "smartcardRequired": false }
Note
Some Active Directory attributes such as isActive are, by default, configured as boolean and can be updated using lowercase true and false. This is because these attributes are actually userAccountControl flags, but are displayed as booleans by the connector. See How do I use the LDAP connector in IDM (All versions) to update the ENABLE property in Active Directory? for further information.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A