Environment
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Active Directory
Situation
The following error is received when trying to submit a user add operation to AD. Modify operations complete successfully.
[12/10/15 07:08:06.655]:AD :Remote Interface Driver: Received.
[12/10/15 07:08:06.656]:AD :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20130305_120000" instance="\NOVELLTEST\NOVELL\SERVICES\DriverSet\TEST-AD" version="4.0.0.1">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="ADMIDM01WS-NDS#20151210160805#1#1:dc1c064d-fb85-4645-a6cc-17ebf6044d66" level="error" type="driver-general">
<ldap-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">
<client-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">Other</client-err>
<server-err>00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
</server-err>
<server-err-ex win32-rc="1315"/>
</ldap-err>
</status>
</output>
</nds>
[12/10/15 07:08:06.655]:AD :Remote Interface Driver: Received.
[12/10/15 07:08:06.656]:AD :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20130305_120000" instance="\NOVELLTEST\NOVELL\SERVICES\DriverSet\TEST-AD" version="4.0.0.1">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="ADMIDM01WS-NDS#20151210160805#1#1:dc1c064d-fb85-4645-a6cc-17ebf6044d66" level="error" type="driver-general">
<ldap-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">
<client-err ldap-rc="80" ldap-rc-name="LDAP_OTHER">Other</client-err>
<server-err>00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
</server-err>
<server-err-ex win32-rc="1315"/>
</ldap-err>
</status>
</output>
</nds>
Resolution
Verify that all attributes in the submitted XML comply with AD schema constraints.
In this particular issue DirXML-ADAliasName was being mapped to samAccountName in the schema mapping policy, and the value in DirXML-ADAliasName exceeded the 20 charactor limit for samAccountName, per AD schema. Thus it threw an error back.
In a default Active Directory driver, DirXML-ADAliasName is mapped to userPrincipalName (no size limit), and CN is mapped to samAccountName.
In this particular issue DirXML-ADAliasName was being mapped to samAccountName in the schema mapping policy, and the value in DirXML-ADAliasName exceeded the 20 charactor limit for samAccountName, per AD schema. Thus it threw an error back.
In a default Active Directory driver, DirXML-ADAliasName is mapped to userPrincipalName (no size limit), and CN is mapped to samAccountName.
Cause
Submitted XML document contained a value in samAccountName that exceeded the 20 charactor limit, per Active Directory schema.
[12/10/15 07:08:07.241]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20151210160805.391Z" class-name="user" dest-dn="CN=testuser1,OU=Test,dc=lab,dc=novell,dc=com" event-id="ADMIDM01WS-NDS#20151210160805#1#2:0cb875c1-99f9-4bbf-935b-88a86cd0e7f5" qualified-src-dn="O=NOVELL\OU=USERS\CN=testuser1" src-dn="\NOVELL\NOVELL\USERS\testuser1" src-entry-id="72255" timestamp="0#0">
<add-attr attr-name="displayName">
<value timestamp="1449689728#6" type="string">Test User1</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1449689728#4" type="string">Test</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1449694038#2" type="string">LAB</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1449689728#3" type="string">User1</value>
</add-attr>
<add-attr attr-name="samAccountName">
<value type="string">testuser1@lab.novell.com</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value type="string">testuser1</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="string">false</value>
</add-attr>
<add-attr attr-name="samAccountName">
<value>testuser1@lab.novell.com</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value>testuser1</value>
</add-attr>
<add-attr attr-name="homeMDB">
<value type="string"/>
</add-attr>
<add-attr attr-name="mailNickname">
<value type="string">testuser1</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
[12/10/15 07:08:07.241]:AD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20151210160805.391Z" class-name="user" dest-dn="CN=testuser1,OU=Test,dc=lab,dc=novell,dc=com" event-id="ADMIDM01WS-NDS#20151210160805#1#2:0cb875c1-99f9-4bbf-935b-88a86cd0e7f5" qualified-src-dn="O=NOVELL\OU=USERS\CN=testuser1" src-dn="\NOVELL\NOVELL\USERS\testuser1" src-entry-id="72255" timestamp="0#0">
<add-attr attr-name="displayName">
<value timestamp="1449689728#6" type="string">Test User1</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1449689728#4" type="string">Test</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1449694038#2" type="string">LAB</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1449689728#3" type="string">User1</value>
</add-attr>
<add-attr attr-name="samAccountName">
<value type="string">testuser1@lab.novell.com</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value type="string">testuser1</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="string">false</value>
</add-attr>
<add-attr attr-name="samAccountName">
<value>testuser1@lab.novell.com</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value>testuser1</value>
</add-attr>
<add-attr attr-name="homeMDB">
<value type="string"/>
</add-attr>
<add-attr attr-name="mailNickname">
<value type="string">testuser1</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>