Technote (troubleshooting)
Problem(Abstract)
When attempting to create a group using IBM® WebSphere® Portal, you receive an "EJPSG0015E: Data Backend Problem" error. The details show that this is caused by the LDAP server returning an error code 65 (object class violation).
Symptom
SystemOut.log will contain:
... WSMM Message E com.ibm.ws.wmm.ldap.LdapRepositoryImpl void create(String DN, Attributes attributes) The following Naming Exception occured during processing: "javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=testgroupname,o=ibm'; resolved object com.sun.jndi.ldap.LdapCtx@28da7087".
... CreateGroupCo E com.ibm.wps.command.puma.CreateGroupCommand AbstractCommand.throwCommandFailedException EJPEB0003E: CreateGroupCommand.execute: An exception occurred.
com.ibm.wps.util.DataBackendException: EJPSG0015E: Data Backend Problem
...
Caused by: com.ibm.websphere.wmm.exception.WMMSystemException: The following Naming Exception occured during processing: "javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=testgroupname,o=ibm'; resolved object com.sun.jndi.ldap.LdapCtx@28da7087". at com.ibm.ws.wmm.ldap.LdapRepositoryImpl.create(LdapRepositoryImpl.java:107)
Resolving the problem
Refer to the 'LDAP: error code ...' technote in the related information below which explains that the LDAP server generates the error code 65. Consult with your LDAP administrator to troubleshoot the failure from an LDAP perspective.
You may have to update the WebSphere Member Manager (WMM) configuration to resolve the problem. For example, this error can occur when attempting to create a group in IBM Tivoli Directory Server (ITDS) using the objectClass accessGroup. Consider the case where wmm.xml contains:
<supportedLdapEntryType name="Group" rdnAttrTypes="cn" objectClassesForRead="accessGroup" objectClassesForWrite="accessGroup" searchBases="o=ibm"/>
and wmmLDAPServerAttributes.xml contains:
<attributeMap wmmAttributeName="groupMember" pluginAttributeName="uniqueMember" applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" defaultValue="uid=dummy"/>
If you enable the traces recommended in the WebSphere Member Manager MustGather and attempt to create a group in WebSphere Portal, you will see the following in trace.log:
.WMM Trace Log > com.ibm.ws.wmm.ldap.LdapConnectionImpl DirContext createSubcontext(Name name, Attributes attrs) Entry cn=testgroupname,o=ibm {objectclass=objectClass: accessgroup, uniquemember=uniquemember: uid=dummy, cn=cn: testgroupname}
...
WSMM Message E com.ibm.ws.wmm.ldap.LdapRepositoryImpl void create(String DN, Attributes attributes) The following Naming Exception occured during processing: "javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=testgroupname,o=ibm'; resolved object com.sun.jndi.ldap.LdapCtx@1faad592"
This failure occurs because the definition of the accessGroup object class does not include uid and uniquemember attributes:
accessgroup :
{
1.3.18.0.2.6.75
NAME 'accessGroup'
DESC 'A group that is used for access control.'
SUP top STRUCTURAL
MUST cn
MAY (businessCategory $ description $ member $ o $ ou $ owner $ seeAlso)
}
Therefore, to correct the problem you have two options. If your LDAP server is configured such that a defaultValue is required for member (see "Mapping LDAP Attributes" link below), then you must update wmmLDAPServerAttributes.xml replacing the entry for wmmAttributeName="groupMember" with (changing pluginAttributeName and defaultValue):
<attributeMap wmmAttributeName="groupMember" pluginAttributeName="member" applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" defaultValue="cn=dummy"/>
If your LDAP server does not require a defaultValue, you could use the following instead:
<attributeMap wmmAttributeName="groupMember" pluginAttributeName="member" applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true"/>
Use the check-out/check-in procedure to update the WMM configuration if running in a cluster. Restart WebSphere Portal to read the updated WMM configuration.
Related information
'LDAP: error code ...' messages
WMM MustGather
Mapping LDAP Attributes
