In the admin ui, if you try to clear out a string attribute, it makes the attribute an empty string instead of a null or undefined attribute. There is no way to control this behavior.
Consider the case where you configure a mapper from Managed/User to either Ad or Opendj in the default manner.
Say you clear out an attribute via the admin UI.
The user will never get updated again in LDAP via the mapper as changes are made to the user in managed/user. No errors are written to the openidm0.log0 logs. If you delete the user in AD/OpenDj and set the missing behavior to create; only then will you see an error. The error is a schema syntax error based on the empty string.
The root of the problem is that the reconciliation engine just passes the empty strings to LDAP and LDAP fails to process it.
The current solution is to put a test script in place on the transformation mapper that says if the value is empty string, pass a null.
While having this script in place is not terrible, the default behavior is less than helpful.
At minimum errors should be in openidm0.log.0 to let you know which attribute is causing updates to fail.
Better would be for the engine to convert the empty strings to null before they get to LDAP.