constraintViolation(19) when adding entry with blank attribute

Document ID : KB000093288
Last Modified Date : 30/04/2018
Show Technical Document Details
Question:
When trying to add a user (or users) to CA Directory DSA fails with constraint violation.
Example of errors seen in various DSA logs are:

Query log:
[108] 20180427.173528.751 0.10 ADD dn="uid=TEST,ou=People,ou=ABC,dc=company,dc=com" source="client" controls="manage-dsa-it"
[108] 20180427.173528.751 0.10 RESULT error attribute 5 constraintViolation(19)

Trace log: (with level set to 'all')
...
...
! [108] Adding attribute {your_attribute_name}
? [108] 20180427.173528.751 WARN : Cannot add null value for syntax 4
? [108] 20180427.173528.751 WARN : Cannot add entry to cache - rolling back
...
...
> [108] -> #0 LDAP ADD-ENTRY-REFUSE
> [108]   invoke-id = 10   credit = 1
> [108]   Attribute Error:
> [108]     Entry:
> [108]       <cosineDomainComponent "com">
> [108]       <cosineDomainComponent "company">
> [108]       <organizationalUnitName "ABC">
> [108]       <organizationalUnitName "People">
> [108]       <cosineUserid "TEST">
> [108]     Attribute: {your_attribute_name}
> [108]     Problem: Constraint violation

 
Answer:
The problem here is attribute syntax 'caseIgnoreString' vs 'caseIgnoreIA5String'.
The above can happen when an attempt is made to insert a null/blank character to an attribute while the syntax type of that attribute is 'caseIgnoreString'. Due to strict x500 standards, CA Directory doesn't allow that. If you must, you can change the syntax to 'caseIgnoreIA5String'.

NOTE: Modifying any CA Directory product provided schema file is not supported. Use it at your own risk. Good idea to create your own extended schema and use that as your business requirement.