Unable to create DSfW users with MMC

  • 7003431
  • 03-Jun-2009
  • 16-Jun-2014

Environment

Novell Domain Services for Windows
Novell Open Enterprise Server 2.0 SP1 (Linux Based)
Microsoft Management Console

Situation

Unable to create DSfW users with MMC.
MMC returns the following error message:
Error: The requested operation did not satisfy one or more constraints associated with the class of the object.

Resolution

**This issue should be fixed when latest patches have been applied from the update channel**

------------------------------------------------------------------------------------------------------------------------------
If the superclasses Top and ndsLoginProperties ( Top $ ndsLoginProperties ) are both present for the objectclass Person in, please contact Novell Technical Support to modify the schema for the tree by removing the superclass Top from the objectclass Person.

The problem can also also affect the creation of group objects and it can appear in other classes other than Person. In general, every Object class starting from User should have a reference to only one class in its Super Class list. The same applies to the Group class definition. This is not a general rule for all object classes, but it's what MMC expects to find when checking the schema definition of these particular classes. In other occasions where this problem has been seen, the User class had "Organizational Person" and "ndsLoginProperties" in its superclass list, when it was supposed to have only "Organizational Person". In the case of Group, this class definition had both "ndsLoginProperties" and "Top" (but only Top should be listed).

Additional Information

It's possible to verify the occurrence of this issue by running ndstrace with the following options: "set ndstrace=nodebug, ndstrace +time, ndstrace +ldap, ndstrace +misc ndstrace screen on"
The error is shown in the following error message:

3063749536 MISC: [2009/05/12 12:40:08.922] FixObjectClass: Object Class has .ndsLoginProperties.[Class Definitions].[Schema Root]
3063749536 MISC: [2009/05/12 12:40:08.922] FixObjectClass: more than one effective class, unable to determine baseclass failed, object class violation (-628)

To check for the current schema definition using ldapsearch use the following command: "ldapsearch  -x -b cn=schema -s  base objectclasses=person", which returns the following output:
dn: cn=schema
...
objectClasses: ( 2.5.6.6 NAME 'Person' SUP ( Top $ ndsLoginProperties ) STRUCT
 URAL MUST "..."

Make sure to run the the ldapsearch command locally on the DSfW Domain Controller, or by pointing to it.

This is the expected output  for "ldapsearch  -x -b cn=schema -s  base objectclasses=person" is:
dn: cn=schema
...
objectClasses: ( 2.5.6.6 NAME 'Person' SUP ndsLoginProperties STRUCTURAL MUST "..."

It's also possible to use iMonitor to check the schema definitions by using the "Schema"| "Base" option to check the base class definitions of the User and Group classes.