LDAP: Type or value exists

Introduction

The result code decimal 20 ('Type or value exists' or 'Attribute or value exists') occurs when a user attempts to add an attribute to an entry with a value that already exists for that attribute type for that entry.

From RFC4511, the definition of result code 20 is:

      attributeOrValueExists (20)
         Indicates that the client supplied an attribute or value to
         be added to an entry, but the attribute or value already
         exists.

Example

For example, create the following LDIF in file ~/type-or-value-exists.LDIF which replaces the value of the description attribute, assuming that the user already exists:

dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: description 1

Modify the entry using ldapmodify three times:

ldapmodify --hostname localhost --port 1389 \
 --bindDn 'cn=directory manager' --bindPassword password \
 -c -a -f ~/type-or-value-exists.LDIF 
# Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
ldapmodify --hostname localhost --port 1389 \
 --bindDn 'cn=directory manager' --bindPassword password \
 -c -a -f ~/type-or-value-exists.LDIF 
# Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
ldapmodify --hostname localhost --port 1389 \
 --bindDn 'cn=directory manager' --bindPassword password \
 -c -a -f ~/type-or-value-exists.LDIF 
# Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com

The same entry was modified three times using the same value for the attribute, using the replace keyword. What does the entry look like now?

ldapsearch -D 'cn=directory manager' \
 -w password  \
 --port 1389 \
 --searchScope base \
 --baseDn uid=user.0,ou=people,dc=example,dc=com '(objectClass=*)' 
dn: uid=user.0,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
postalAddress: Aaren Atp$91327 Broadway Street$Las Vegas, UT  08103
postalCode: 08103
description: description 1
uid: user.0
userPassword: {SSHA}cV5E+CQLD9MvGhYwNmbu1SSt//MGjL8Ir/hUPw==
employeeNumber: 0
initials: AWA
givenName: Aaren
pager: +1 214 214 4195
mobile: +1 947 007 3231
cn: Aaren Atp
sn: Atp
telephoneNumber: +1 089 907 9947
street: 91327 Broadway Street
homePhone: +1 457 787 9183
l: Las Vegas
mail: user.0@example.com
st: UT

Note the value of the description attribute. Now change the keyword in the LDIF to add:

dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
add: description
description: description 1

Modify the entry using ldapmodify:

ldapmodify --hostname localhost --port 1389 \
 --bindDn 'cn=directory manager' --bindPassword password \
 -c -a -f ~/type-or-value-exists.LDIF 
# Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
MODIFY operation failed
Result Code:  20 (Attribute or Value Exists)
Diagnostic Message:  Entry uid=user.0,ou=people,dc=example,dc=com cannot \
 be modified because it would have resulted in one or more duplicate \
 values for attribute description:  description 1

This fails because one cannot add an attribute with an existing value, but one can replace it with the same value.

References

• RFC4511