User modifications fail with ObjectClassViolation errors in IBM Security Directory Server

The requests to create or modify a user fail when using the default Person user profile. Length restrictions for certain user attributes cause this failure.

Problem

The IBM Security Directory Server schema imposes length restrictions on several attributes in the inetOrgPerson object class such as initials, employeeNumber, and telephoneNumber. The following errors can help you determine if a user-related request fails due to a length restriction:

• The audit trail request for IBM Security Identity Manager displays the following error in the process result:

  CTGIMO017E: The following directory server schema violation occurred.
  Error: [LDAP: error code 65 - Object Class Violation]

  We can observe this error message by viewing the failed request in the View Requests console.

• The IBM Security Directory Server ibmslapd.log file contains an error similar to the following:

  GLPRDB069E: Attribute EMPLOYEENUMBER has a maximum value length of 20.
  Current attribute value is of length 27.

  The ibmslapd.log log file is produced by IBM Security Directory Server.

Solution

We can prevent request failures due to length violations with one of the following actions:

• Customize the Person form with the necessary field constraints. Customizing the Person form with the necessary field constraints prevents user errors and ensures that values conform to the requirements.
• Increase the maximum length of the attributes in the directory server schema.

IBM Security Directory Server specifies each schema length constraint in number of bytes. Certain character sets require multiple bytes to represent a single character. When customizing the form or changing the schema length constraints, it is important to consider whether or not attribute values are specified using a multibyte character set.

Parent topic: Troubleshooting IBM Security Directory Server problems