I have the following methods I'm using to update a User object in LDAP.



protected void mapToContext(User user, DirContextAdapter context) {
context.setAttributeValues("objectclass", new String[]{"top", "person", "inetOrgPerson"});
context.setAttributeValue("uid", user.getUsername());
context.setAttributeValue("userPassword", LdapUtils.getUtf8Bytes(user.getPassword()));
context.setAttributeValue("cn", user.getFirstName());
context.setAttributeValue("sn", user.getLastName());
context.setAttributeValue("displayName", user.getFullName());
context.setAttributeValue("mail", user.getEmail());
context.setAttributeValue("telephoneNumber", user.getPhoneNumber());
context.setAttributeValue("title", user.getTitle());
context.setAttributeValue("department", user.getDepartment());
context.setAttributeValue("passwordHint", user.getPasswordHint());

context.setAttributeValue("version", String.valueOf(user.getVersion()));
context.setAttributeValue("accountEnabled", String.valueOf(user.isEnabled()));
context.setAttributeValue("accountExpired", String.valueOf(user.isAccountExpired()));
context.setAttributeValue("accountLocked", String.valueOf(user.isAccountLocked()));
context.setAttributeValue("credentialsExpired", String.valueOf(user.isCredentialsExpired()));
}


Everything works fine if I modify the String values. However, if I modify version, accountEnabled, accountExpired (the non-String values), I get the following error:



org.springframework.ldap.UncategorizedLdapExceptio n: Operation failed; nested exception is javax.naming.directory.InvalidAttributeIdentifierE xception: [LDAP: error code 17 - Undefined Attribute Type]; remaining name 'uid=tomcat, ou=users'
Caused by: javax.naming.directory.InvalidAttributeIdentifierE xception: [LDAP: error code 17 - Undefined Attribute Type]; remaining name 'uid=tomcat, ou=users'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3054)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2737)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapC tx.java:1437)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_mod ifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.modifyAttributes(PartialCompositeDirContext.java :172)
at javax.naming.directory.InitialDirContext.modifyAtt ributes(InitialDirContext.java:153)
at org.springframework.ldap.LdapTemplate$13.executeWi thContext(LdapTemplate.java:741)
at org.springframework.ldap.LdapTemplate.executeWithC ontext(LdapTemplate.java:641)
at org.springframework.ldap.LdapTemplate.executeReadW rite(LdapTemplate.java:636)
at org.springframework.ldap.LdapTemplate.modifyAttrib utes(LdapTemplate.java:738)


Any idea what could be wrong?

Thanks,

Matt

On a related note, when I try to remove a user from a role, I get the same error. Below is the method I'm using to do this:



public void removeUser(Long userId) {
User user = getUser(userId);
ldapTemplate.unbind(buildDn(user));

// remove user from roles - this currently doesn't work due to issue in last 3 lines of this block
for (Role role : user.getRoles()) {
Role r = roleDao.getRoleByName(role.getName());
List<String> members = new ArrayList<String>(r.getMembers().length);
for (String member : r.getMembers()) {
if (member.indexOf(user.getUsername()) == -1) {
members.add(member);
}
}
r.setMembers(members.toArray(new String[0]));

// calling saveRole results in javax.naming.directory.SchemaViolationException
// todo: fix so users are removed from roles when they're deleted
//roleDao.saveRole(r);
}

// remove from database too
jdbcTemplate.update("delete from " + userTableName + " where id=?", new Object[]{userId});
}

I've never run into that error myself, but it seems to be caused by the fact that the referenced attribute is not present in the schema defined for the LDAP server instance you are running against.

I guess my best hint would be to check the server configuration so that the schema is set up correctly.

It looks like you try to modify an object of class inetOrgPerson (http://www.zytrax.com/books/ldap/ape/inetorgperson.html). If you're using attributes that are not defined for that objectclass, you must create your own objectclass that extends inetOrgPerson.

Another thing I notice is that you have missed parts of the hierarchy. inetOrgPerson extends organizationalPerson if you're using the official schema. Many servers don't verify that the hierarchy is correct, so you must be diligent in doing so yourself. Some servers do check, and then you might get into trouble.

objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson

I tried both removing the inetOrgPerson objectclass, as well as adding organizationalPerson as an objectclass. Neither solved my problem. I'm guessing that you're saying I need to create a custom objectclass if I plan on adding any attributes not defined in the person (or inetOrgPerson) schemas. Do I do that on the LDAP server side of things, or is it possible to do that in Java code?

I'm guessing that you're saying I need to create a custom objectclass if I plan on adding any attributes not defined in the person (or inetOrgPerson) schemas.


That's exactly what I meant. Sorry if I was unclear.



Do I do that on the LDAP server side of things, or is it possible to do that in Java code?


Well, you need to add a custom schema with your own objectclass on the server in order to get the server to accept your custom attributes. The procedure and format is server-specific. However, you also need to specify your new objectclass in the objectclass attribute when creating new objects. Example with a custom objectclass called "authorizablePerson":



context.setAttributeValues("objectclass", new String[]{"top", "person",
"organizationalPerson", "inetOrgPerson", "authorizablePerson"});

Do you know how Acegi handles getting accountEnabled, accountLocked, etc. attributes into its LdapUserDetailsImpl class? These don't seem to be a part of any schema, and it's not obvious from looking at their code how these are handled.

Thanks,

Do you know how Acegi handles getting accountEnabled, accountLocked, etc. attributes into its LdapUserDetailsImpl class? These don't seem to be a part of any schema, and it's not obvious from looking at their code how these are handled.

Thanks,

I’d like to know that for myself as well. I was wondering about it for some time, but I could not get any answer at all.

If these attributes are not explained properly in the Acegi reference manual, I suggest you post a question on the Acegi forum (http://forum.springframework.org/forumdisplay.php?f=33). I'm pretty sure they can provide answers for you.

I have same problem