I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank

Get a case out of the door - that sounds like an attribute definition that is wrong.

The challenge here may be that the length of the erraconxml attribute can be longer than what a varchar can accommodate. This is why you will see a short msg and a msg in the process tables where XML data is stored.

You COULD delete all RACF accounts (or just the erraconxml attributes) and try to change it to varchar and see if that fixes your problm (do not do this on a production system...)

HTH

I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank

I forgot one thing - the RACF Adapter is dependent on a complex attribute handler - can you see if the logs indicates anything about that ? 

The problem on IVIG 11 was fixed recently - I believe it was related to the a build problem on the new Liberty platform. 

Get a case out of the door - that sounds like an attribute definition that is wrong.

The challenge here may be that the length of the erraconxml attribute can be longer than what a varchar can accommodate. This is why you will see a short msg and a msg in the process tables where XML data is stored.

You COULD delete all RACF accounts (or just the erraconxml attributes) and try to change it to varchar and see if that fixes your problm (do not do this on a production system...)

HTH

I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank

Get a case out of the door - that sounds like an attribute definition that is wrong.

The challenge here may be that the length of the erraconxml attribute can be longer than what a varchar can accommodate. This is why you will see a short msg and a msg in the process tables where XML data is stored.

You COULD delete all RACF accounts (or just the erraconxml attributes) and try to change it to varchar and see if that fixes your problm (do not do this on a production system...)

HTH

I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank

It's funny. I see this comment in the schema.dsml file for the latest adapter:

2017-11-22 J. Ruijter  Changed erracconxml to directory string

(This is the most recent comment about this attribute).

But the change wasn't made. The attribute is still defined as BINARY (syntax 1.3.6.1.4.1.1466.115.121.1.15) with length 2048:

  <attribute-type single-value = "false" >
     <name>erRacConXML</name>
     <description>User Group Connection Group Name</description>
     <object-identifier>1.3.6.1.4.1.6054.3.127.2.200</object-identifier>
     <syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax>
   </attribute-type>

So I do think that changing it as you suggested will work. 

Thanks again!

Get a case out of the door - that sounds like an attribute definition that is wrong.

The challenge here may be that the length of the erraconxml attribute can be longer than what a varchar can accommodate. This is why you will see a short msg and a msg in the process tables where XML data is stored.

You COULD delete all RACF accounts (or just the erraconxml attributes) and try to change it to varchar and see if that fixes your problm (do not do this on a production system...)

HTH

I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank

The reason it is not changed during load of the new profile is because there are attributes with values in the system - and Directory Server does not allow a change of the schema if there are...

You can remove all account/group values in the ldap and then it MAY work - but doing it directly in the Web Admin Tool is the best option....

WARNING : do NOT change it in v3.modifiedschema if you did not do the attribute cleanup - that is is sure way of giving you troubles....

It's funny. I see this comment in the schema.dsml file for the latest adapter:

2017-11-22 J. Ruijter  Changed erracconxml to directory string

(This is the most recent comment about this attribute).

But the change wasn't made. The attribute is still defined as BINARY (syntax 1.3.6.1.4.1.1466.115.121.1.15) with length 2048:

  <attribute-type single-value = "false" >
     <name>erRacConXML</name>
     <description>User Group Connection Group Name</description>
     <object-identifier>1.3.6.1.4.1.6054.3.127.2.200</object-identifier>
     <syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax>
   </attribute-type>

So I do think that changing it as you suggested will work. 

Thanks again!

Get a case out of the door - that sounds like an attribute definition that is wrong.

The challenge here may be that the length of the erraconxml attribute can be longer than what a varchar can accommodate. This is why you will see a short msg and a msg in the process tables where XML data is stored.

You COULD delete all RACF accounts (or just the erraconxml attributes) and try to change it to varchar and see if that fixes your problm (do not do this on a production system...)

HTH

I'm working with ISIM 10.0 and IDS 6.4 with the RACF adapter installed (among many others). (Yes, I know the environment needs to be upgraded).

When I try to manage the members of a group, I get an error in the GUI:

LDAP error 92

In debugging this, I can see that the error occurs because the system is trying to do a substring search on the erracconxml LDAP attribute, which is defined as a BINARY attribute. Everything I can find online states that substring searches are absolutely not possible on BINARY attributes in IBM Directory Server. So I don't believe that this has ever worked, and I don't think it can work due to this restriction. I've even reproduced it with other BINARY attributes. For example, doing a simple ldapsearch with the filter "erxml=*foo*" gives the same error code.

My questions are:

1. Is this supposed to work?
2. If so, what do I need to configure to get it to work?

Thanks,

Frank