LDAP Error 19 For objectclass=leaf With Synchronization From AD To OID (Doc ID 368939.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Internet Directory - Version 10.1.2 and later
Information in this document applies to any platform.
***Checked for relevance on 06-Mar-2013***

Symptoms

After successful bootstrap with an Active Directory (AD) import profile, the odisrv process has been started on configset=1 but DIP synchronization does not execute the enabled profile. The profile status shows:
   Synchronization Status = NOT EXECUTED YET
   Bootstrap Status = BOOTSTRAP SUCCESSFUL

Further investigation by enabling debug logging for odisrv and the profile shows that AD->OID synchronization is failing with LDAP Error 19 or LDAP Error 65 when attempting to synchronize specific entries from AD:

The debug ldap/odi/log/<profilename>.trc log shows e.g.:

......
Exception creating Entry : javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Admin domain does not contain schema information for objectclass leaf.]; remaining name 'cn=routeridentity,cn=ad-uk13856,ou=support,cn=users,dc=uk,dc=oracle,dc=com'
[LDAP: error code 19 - Admin domain does not contain schema information for objectclass leaf.]
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Admin domain does not contain schema information for objectclass leaf.]; remaining name 'cn=routeridentity,cn=ad-uk13856,ou=support,cn=users,dc=uk,dc=oracle,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
.......

or

Exception creating Entry : javax.naming.directory.SchemaViolationException: 
[LDAP: error code 65 - Failed to find cn in mandatory or optional attribute 
list.]; remaining name 'cn=msmq,ou=resources,ou=tns global,dc=uk,dc=oracle,
dc=com'
[LDAP: error code 65 - Failed to find cn in mandatory or optional attribute list.]
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find cn in mandatory or optional attribute list.]; remaining name 
'cn=msmq,ou=resources,ou=tns global,dc=uk,dc=oracle,dc=com'


The profile Connected Directory Matching Filter value is the default value taken from the sample ldap/odi/conf/ad*.properties files:

"searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))"

Based on this search filter the entries being synchronized when the errors occur should not be retrieved from Active Directory by DIP for synchronization.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms