LDAP provisioning: "discarded due to an invalid combination of attribute and object class"

Question

Hi 
 
 I am getting this error in a RACF sync project when trying to update racfAddressLine1, racfAddressLine2 and racfAddressLine3 attributes. The error also appears if I try to make the change in Target System Browser and hit save. 
 If I log into an LDAP browser using the exact same credentials, and go to the user object to be updated, I cannot see these attributes but if I add a new attribute for racfAddressLine1 and populate it, then hit save, it saves. 
 And if I then attempt the sync again, those attributes do get populated - but only for that one row. The next account in the sync also needs these attributes refreshed but it throws the same error. 
 What could be causing this? 
 Thanks in advance

Barry Jackson · Accepted Answer

Hi, The error message you are getting is my fault!!!! It used to be the case that if you attempted an update on an attribute that was not part of the current objectclass combination, your update would succeed but actually fail silently! So I asked the developer to throw this error in those circumstances so that you at least had a chance of knowing that an error had occurred. In short, you have to ensure that the attribute you are updating is part of the objectclass heirarchy you have defined on the object (in 1IM and 'to' the TS). If it's not, you'll get this error. Now the bit I can't 100% remember is the correct mapping configuration in this scenario so you'll have to experiment I'm afraid ...... I think you just need objectclass from LHS mapped to objectclass on RHS with direction 'to' target system. As well as your other mapping(s). HTH, Barry.

Barry Jackson · Answer

Hi, 
 
I just tried this out and got exactly the same error as you! 
 
I created a mapping for LDAPAccount.DestinationIndicator (Location ID) to racfBuilding. 
 
I set a value in Manager, hit save, the provision job fired and froze …… so …… 
 
Looking here: support.oneidentity.com/.../9 
 
We can see that racfBuilding is part of the auxiliary class racfWorkAttrSegment. After the sync, my LDAPAccount(s) have these objectclasses: 
 
TOP;RACFBASECOMMON;RACFUSER;SAFTSOSEGMENT 
 
So if I edit the OBJECTCLASS and add RACFWORKATTRSEGMENT and then update the DestinationIndicator (Location ID) field ….. the provision works!!! 
 
Because I now have a valid attribute/objectclass combination. 
 
The appendices in the 1IM doc tell you all the attribute/objectclass combinations. 
 
The moral of the story is that just because you see the attribute on the RHS in the TS schema ….. it doesn’t mean you can just use it ….. you have to make sure you have the associated objectclass for the attribute(s). 
 
HTH, Barry.