Unable to delete dynamic group

Document ID : KB000094811
Last Modified Date : 04/05/2018
Show Technical Document Details
Question:
While deleting a Dynamic Group, you might get the following error resulting in failure to delete the group.

dxdelete -h hostname:port "cn=managers,ou=DynGrps,o=democorp,c=au"
ldap_delete: Administrative limit exceeded (11)
Answer:
The problem is Dynamic Groups coexisting with memberOf functionality.

e.g. you may have following defined in your DSA config:

=======
clear dynamic-group;

set dynamic-group GROUP = {
   subtree = <c au>
   objectClass = dxDynamicGroupOfNames
   url-attr = dxMemberURL
   member-attr = Member
};

set memberof-user-containers = <c AU><o Democorp>;
set memberof-group-containers = <c AU><o Democorp><ou dyngrps>;
=======

This worked fine until CA Directory 12.0.15 and a bug was introduced. The fix has been provided in CA Diretory 12.6.06+ and 14.0.xx release so recommendation is to upgrade to one of these versions to address this problem.

WORKAROUND:
=============

If you cannot upgrade for any reason, the work around would be to disable memberOf functionality temporarily, perform your delete operation(s) and re-enable memberOf functionality.

To disable memberOf simply comment out the above two lines from config and restart the DSA. Once done with clean up, simply uncomment those two lines and restart the DSA.