LDAP_UNWILLING_TO_PERFORM (53) error when trying to synchronize a user to Active Directory

(Last modified: 14Dec2005)

This document (10099876) is provided subject to the disclaimer at the end of this document.

symptom

fact

Novell Identity Manager

Microsoft Active Directory

cause

The attribute 'memberOf' had been added to the User class's filter and was being synchronized to Active Directory. This is not possible to do because that attribute in Active Directory is read-only. When a membership is added to the corresponding Group the user's side is automatically added by Active Directory. Doing otherwise is an illegal operation causing the resulting error message.

fix

Remove memberOf from the filter for the user object. This is the default shipped from Novell and should not be changed.

Anytime a member is added to a group in eDirectory both the user and the group have an event triggered so, regardless of how the user was added to the group, the event will go across to any applicable connected system (including Active Directory) without having the change go through on both objects explicitly. In the Active Directory driver filter the memberOf attribute need not be synchronized for this reason. As long as the group is associated with the Active Directory system it will synchronize with all members possible. If memberships are not going over to Active Directory it is probably because the entire group is not synchronizing or else the appropriate attribute on the Group object is not synchronizing.

note

Trace error:

<status level="error" type="driver-general" event-id="NWSRVR#20051207203448#1#1">
<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
  <client-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
  <server-err>0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0</server-err>
  <server-err-ex win32-rc="8346"/>
  </ldap-err>
</status>

Operation Document from the Remote Loader (note the memberOf attribute being sent to Active Directory):

<add class-name="user" dest-dn="CN=Some User,OU=Users,OU=Container3,DC=test,DC=anothertest,DC=base" event-id="NWSRVR#20051207203448#1#1" qualified-src-dn="O=base\OU=someContainer\OU=Users\CN=suser" src-dn="\TEST\base\someContainer\Users\suser" src-entry-id="33001">
<add-attr attr-name="memberOf">
    <value association-ref="581c5fea7f719e468d2c7d278e87320a" timestamp="1133896723#175" type="dn">\TEST\base\someContainer\Groups\testGroup</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
    <value timestamp="1133883768#6256" type="string">someData</value>
</add-attr>
<add-attr attr-name="department">
    <value timestamp="1133883768#6263" type="string">someDepartment</value>
</add-attr>
<add-attr attr-name="sn">
    <value timestamp="1133883768#6264" type="string">User</value>
</add-attr>
<add-attr attr-name="displayName">
    <value timestamp="1133883768#6267" type="string">Some User</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1133883768#6268" type="string">Some</value>
</add-attr>

*snip*

</add>

document

Document Title:	LDAP_UNWILLING_TO_PERFORM (53) error when trying to synchronize a user to Active Directory
Document ID:	10099876
Solution ID:	NOVL104482
Creation Date:	08Dec2005
Modified Date:	14Dec2005
Novell Product Class:	DirXML

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.