Error: LDAP_CONSTRAINT_VIOLATION

An LDAP_CONSTRAINT_VIOLATION means the Destination schema doesn’t like something the Sync is trying to do with an attribute. The Sync may be trying to set an attribute that doesn’t exist, or the sync may be trying to set an invalid value for an attribute.

Troubleshooting tips:

1. We see Constraint Violation errors that specify showinaddressbook as the culprit quite often. To correct this:

   • Create a custom object map file.
   • At the bottom, there are two default showinaddressbook mappings. Comment out one, as below:
     #showinaddressbook=cn=All Users,~addressbookroots~
showinaddressbook=~globaladdresslist~
   • Run the sync. Did the error go away?
     • If it did, you’ve found the problematic mapping. If your entries are populating the GAL as expected, you may not need this mapping at all and may leave it commented out to continue to sync without error.
     • If not, go back and comment out the other one while removing the pound sign from the first one, as below:
       showinaddressbook=cn=All Users,~addressbookroots~
#showinaddressbook=~globaladdresslist~
   • Run the sync. Did the error go away?
     • If it did, you’ve found the problematic mapping. If your entries are populating the GAL as expected, you may not need this mapping at all and may leave it commented out to continue to sync without error.
     • If not, comment them both out, as below:
       #showinaddressbook=cn=All Users,~addressbookroots~
#showinaddressbook=~globaladdresslist~
   • Run the sync. Did the error go away?
     • If you are still receiving errors, it may be due to an entirely different cause.
     • Please run the sync at Log File level 3-Detailed (General tab) and forward to support@dirwiz.com for additional troubleshooting.

2. When syncing to Active Directory (AD), another common cause of Constraint Violation errors is an Add which specifies a DN including a CN that is to long. The CN in the DN is limited to 64 characters. By default, the Sync uses email address in the CN. Occasionally, an email address exceeds 64 characters. The latest default map files are designed to automatically truncate the value as it appears in the DN to avoid this error. If you are using an old map file that does not contain this truncation, edit your map file and add the truncation.

   • If you don’t already have a custom object map file, create one now.
   • The first line of your map file (DN) would read like this if it is missing the truncation:
     dn=cn=~mail~,~struct~
   • Edit this mapping to add the #64 truncation like this:
     dn=cn=~mail#64~,~struct~
   • Click Save.
   • Click Save again to confirm selection of the custom object map file that you just created.
   • When you run your Sync, previously Synced objects will not be affected. Only those objects that have failed to Sync due to this error will be affected, as they have the DN properly truncated to the required limit, they will now be added successfully.
     NOTE: This truncation only applies to the value as it appears in the DN. The actual email address value is synced as-is, without truncation. If you are unsure of the results you will see, run a Simulation first to verify results.

3. If you are syncing to an AD Destination, using a mail-enabled template, verify that the Exchange schema is actually loaded on your Destination AD. In order to sync Exchange attributes required for a mail-enable object, at least Forest Prep must have been run on the Destination server.

4. A duplicate attribute mapping can cause a CONSTRAINT_VIOLATION. Verify you did not accidentally add a duplicate mapping in your custom map file.

5. If you customize country or country code mappings (i.e., c or co), make sure the values are correct. The attribute co may only contain a three character country code . Make sure you didn’t accidentally map a full country name to co.

If you have ruled out all of the above potential causes of this error, please email Support with a Sim or Sync Log File set to level 3-Detailed (General tab) for further troubleshooting.