000026198 - 00002014: UpdErr: DSID-031A0F8A  problem 6002 (OBJ_CLASS_VIOLATION)  data 0 [Object class violation]

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026198
Applies ToRSA ClearTrust
IssueUsers in auxstore are read-only. cleartrust.data.ldap.auxuser.readonly=true
00002014: UpdErr: DSID-031A0F8A, problem 6002 (OBJ_CLASS_VIOLATION), data 0 [Object class violation]     
CauseThis error appears after following steps on page 54 of the RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide. When looking at the debug in RSA Entitlements Server (EServer) debug log, the following information also appears:

01:05:44:125 [*] [APIClientProxy_0] - LDAPUser:
        User (DN="cn=bulk0005a,cn=Users,dc=csau2003,dc=ap,dc=rsa,dc=net") AdministrativeGroupID: UniqueIdentifier (Data Store Type: LDAP Store ID: Testv1 ClassIdentifier: 1) DN:  "cn=Default Administrative Group,ou=ctscAdminRepository,dc=csmjb,dc=ap,dc=rsa,dc=net"
01:05:44:406 [*] [APIClientProxy_0] - Hashing user: cn=bulk0005a,cn=Users,dc=csau2003,dc=ap,dc=rsa,dc=net
 to member list: cn=Member List 163,cn=Default Administrative Group,ou=ctscAdminRepository,dc=csmjb,dc=ap,dc=rsa,dc=net sirrus.da.exception.DataStoreException: 000020B5: AtrErr: DSID-031516FC, #1:
        0: 000020B5: DSID-031516FC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0,
Att 1c860020 (ctscPrivateMemberList)
  [Constraint violation]
        at sirrus.da.ldap.util.AbstractLDAPCommand.handleUnknownLDAPException(AbstractLDAPCommand.java:268)
        at sirrus.da.ldap.util.AbstractLDAPCommand.singleExecute(AbstractLDAPCommand.java:199)
        at sirrus.da.ldap.util.AbstractLDAPCommand.execute(AbstractLDAPCommand.java:86)

The problem is that the ctscPrivateMemberList we are tring to update is on the primay data store, but the user we have updated is in the auxstore. Documentation in the RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide on page 66 states to change the following paramater:

    cleartrust.data.ldap.group.readonly    :false
The specific auxstore is set to readonly in the ldap.conf file
ResolutionThere are a variety of readonly parameters in the RSA ClearTrust ldap.conf file. It is not uncommon for this situation to exist where ClearTrust is able to view and leverage usage of users in different stores but should not be allowed administrative update access, since this might be managed by some other system.

There is both a global setting for all values in auxstores (since you may have more than one) and subsequent settings for individual stores.
WorkaroundThe store is read-only. See the ".readonly" configuration parameter. cleartrust.data.ldap.directory.reaper.readonly=true
Legacy Article IDa26419