Announcement Announcement Module
Collapse
No announcement yet.
LDAP: error code 17 - Undefined Attribute Type Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP: error code 17 - Undefined Attribute Type

    I have the following methods I'm using to update a User object in LDAP.

    Code:
        protected void mapToContext(User user, DirContextAdapter context) {
            context.setAttributeValues("objectclass", new String[]{"top", "person", "inetOrgPerson"});
            context.setAttributeValue("uid", user.getUsername());
            context.setAttributeValue("userPassword", LdapUtils.getUtf8Bytes(user.getPassword()));
            context.setAttributeValue("cn", user.getFirstName());
            context.setAttributeValue("sn", user.getLastName());
            context.setAttributeValue("displayName", user.getFullName());
            context.setAttributeValue("mail", user.getEmail());
            context.setAttributeValue("telephoneNumber", user.getPhoneNumber());
            context.setAttributeValue("title", user.getTitle());
            context.setAttributeValue("department", user.getDepartment());
            context.setAttributeValue("passwordHint", user.getPasswordHint());
    
            context.setAttributeValue("version", String.valueOf(user.getVersion()));
            context.setAttributeValue("accountEnabled", String.valueOf(user.isEnabled()));
            context.setAttributeValue("accountExpired", String.valueOf(user.isAccountExpired()));
            context.setAttributeValue("accountLocked", String.valueOf(user.isAccountLocked()));
            context.setAttributeValue("credentialsExpired", String.valueOf(user.isCredentialsExpired()));
        }
    Everything works fine if I modify the String values. However, if I modify version, accountEnabled, accountExpired (the non-String values), I get the following error:

    Code:
    org.springframework.ldap.UncategorizedLdapException: Operation failed; nested exception is javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - Undefined Attribute Type]; remaining name 'uid=tomcat, ou=users'
    Caused by: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - Undefined Attribute Type]; remaining name 'uid=tomcat, ou=users'
    	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3054)
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
    	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1437)
    	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
    	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
    	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
    	at org.springframework.ldap.LdapTemplate$13.executeWithContext(LdapTemplate.java:741)
    	at org.springframework.ldap.LdapTemplate.executeWithContext(LdapTemplate.java:641)
    	at org.springframework.ldap.LdapTemplate.executeReadWrite(LdapTemplate.java:636)
    	at org.springframework.ldap.LdapTemplate.modifyAttributes(LdapTemplate.java:738)
    Any idea what could be wrong?

    Thanks,

    Matt

  • #2
    Issue with modifying roles as well

    On a related note, when I try to remove a user from a role, I get the same error. Below is the method I'm using to do this:

    Code:
        public void removeUser(Long userId) {
            User user = getUser(userId);
            ldapTemplate.unbind(buildDn(user));
    
            // remove user from roles - this currently doesn't work due to issue in last 3 lines of this block
            for (Role role : user.getRoles()) {
                Role r = roleDao.getRoleByName(role.getName());
                List<String> members = new ArrayList<String>(r.getMembers().length);
                for (String member : r.getMembers()) {
                    if (member.indexOf(user.getUsername()) == -1) {
                       members.add(member);
                    }
                }
                r.setMembers(members.toArray(new String[0]));
    
                // calling saveRole results in javax.naming.directory.SchemaViolationException
                // todo: fix so users are removed from roles when they're deleted
                //roleDao.saveRole(r);
            }
    
            // remove from database too
            jdbcTemplate.update("delete from " + userTableName + " where id=?", new Object[]{userId});
        }

    Comment


    • #3
      I've never run into that error myself, but it seems to be caused by the fact that the referenced attribute is not present in the schema defined for the LDAP server instance you are running against.

      I guess my best hint would be to check the server configuration so that the schema is set up correctly.

      Comment


      • #4
        It looks like you try to modify an object of class inetOrgPerson. If you're using attributes that are not defined for that objectclass, you must create your own objectclass that extends inetOrgPerson.

        Another thing I notice is that you have missed parts of the hierarchy. inetOrgPerson extends organizationalPerson if you're using the official schema. Many servers don't verify that the hierarchy is correct, so you must be diligent in doing so yourself. Some servers do check, and then you might get into trouble.

        objectclass: top
        objectclass: person
        objectclass: organizationalPerson
        objectclass: inetOrgPerson
        Last edited by ulsa; Oct 13th, 2006, 10:21 AM.

        Comment


        • #5
          I tried both removing the inetOrgPerson objectclass, as well as adding organizationalPerson as an objectclass. Neither solved my problem. I'm guessing that you're saying I need to create a custom objectclass if I plan on adding any attributes not defined in the person (or inetOrgPerson) schemas. Do I do that on the LDAP server side of things, or is it possible to do that in Java code?

          Comment


          • #6
            I'm guessing that you're saying I need to create a custom objectclass if I plan on adding any attributes not defined in the person (or inetOrgPerson) schemas.
            That's exactly what I meant. Sorry if I was unclear.

            Do I do that on the LDAP server side of things, or is it possible to do that in Java code?
            Well, you need to add a custom schema with your own objectclass on the server in order to get the server to accept your custom attributes. The procedure and format is server-specific. However, you also need to specify your new objectclass in the objectclass attribute when creating new objects. Example with a custom objectclass called "authorizablePerson":

            Code:
            context.setAttributeValues("objectclass", new String[]{"top", "person",
               "organizationalPerson", "inetOrgPerson", "authorizablePerson"});

            Comment


            • #7
              Do you know how Acegi handles getting accountEnabled, accountLocked, etc. attributes into its LdapUserDetailsImpl class? These don't seem to be a part of any schema, and it's not obvious from looking at their code how these are handled.

              Thanks,

              Comment


              • #8
                Originally posted by mraible View Post
                Do you know how Acegi handles getting accountEnabled, accountLocked, etc. attributes into its LdapUserDetailsImpl class? These don't seem to be a part of any schema, and it's not obvious from looking at their code how these are handled.

                Thanks,
                Id like to know that for myself as well. I was wondering about it for some time, but I could not get any answer at all.

                Comment


                • #9
                  If these attributes are not explained properly in the Acegi reference manual, I suggest you post a question on the Acegi forum. I'm pretty sure they can provide answers for you.

                  Comment


                  • #10
                    try

                    I have same problem

                    Comment

                    Working...
                    X