[OID] ldap_modify: Failed to find member in mandatory or optional attribute list

A sample LDAP entry and the resulting error message are shown below. The objective is simple - adding a new member (employee) to an existing group (Administrators).

% cat assigngrp.ldif

dn: cn=Administrators,ou=groups,ou=entapp
changetype: modify
add: member
member: cn=emp1234,ou=people,ou=entapp

% ldapmodify -p 3060 -h localhost -D "cn=orcladmin" -w passwd -f assigngrp.ldif
add member:
	cn=emp1234,ou=people,ou=entapp
modifying entry cn=Administrators,ou=groups,ou=entapp
ldap_modify: Object class violation
ldap_modify: additional info: Failed to find member in mandatory or \
     optional attribute list.

The above error message is a generic one. It would have been nice had it shown the expected and actual inputs as part of the error. However it gave us a hint that the object class was violated. In this example, the group "Administrators" was created under object class groupOfUniqueNames.

% ldapsearch -p 3060 -h localhost -b "ou=groups,ou=entapp" -A "(objectclass=*)"
..
cn=Administrators,ou=groups,ou=entapp
Administrators,groups,entapp
cn
uniquemember
objectclass
..

RFC 4519 for Lightweight Directory Access Protocol (LDAP) requires the uniqueMember attribute within the groupOfUniqueNames object class. An excerpt from the original RFC:

3.6.  'groupOfUniqueNames'
	...

      ( 2.5.6.17 NAME 'groupOfUniqueNames'
         SUP top
         STRUCTURAL
         MUST ( uniqueMember $
               cn )
         MAY ( businessCategory $
               seeAlso $
               owner $
               ou $
               o $
               description ) )

Going back to the issue in hand, the "add" attribute must be uniqueMember, not member, in "modify" LDAP entry. That's the object class violation in this case. Now the fix to the issue is obvious.

The modified entry and the output from Oracle Internet Directory's ldapmodify command are shown below.

% cat assigngrp.ldif

dn: cn=Administrators,ou=groups,ou=entapp
changetype: modify
add: uniqueMember
uniqueMember: cn=emp1234,ou=people,ou=entapp

$ ldapmodify -p 3060 -h localhost -D "cn=orcladmin" -w passwd -f assigngrp.ldif
add uniqueMember:
	cn=emp1234,ou=people,ou=entapp
modifying entry cn=Administrators,ou=groups,ou=entapp
modify complete

Though the above example was derived from an Oracle Internet Directory (OID) environment, the problem and the solution are applicable to all environments running LDAP servers.

Comments:

Hi,

Iam adding new container, and iam facing same error. Can you pls help me what needs to be changed?
Iam already having dc=comany,dc=com and cn=users where all users are present. Currently iam changing it to cn=users,ou=internal and cn=users,ou=external containers for differentiating customers and employees. While creating container ou=internal iam facing similar issue.

Please suggest me if any idea.

Thanks

Posted by guest on August 27, 2014 at 01:33 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Benchmark announcements, HOW-TOs, Tips and Troubleshooting

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today