Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11398

OpenAM ACI installation instruction does not work for OpenDJ productionMode



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 14.1.0
    • 6.0.0, 5.5.2
    • CTS
    • external OpenDJ for CTS/Config with OpenDJ --productionMode
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description


      Bug description

      The installation guide provides the setting required for ACI to the OpenDJ.
      However the issue is that on OpenDJ 5.x nowadays there is an option called --productionMode (which is a hardened configuration). The issue
      is that if this is enabled, a lot of things will break in OpenAM as there will be missing ACI not granted to the non-root binding user.
      Also it's possible also that user login for password-policy control may not be there as it is also not there by default.

      How to reproduce the issue

      1. Install OpenDJ in productionMode
      2. Install OpenAM to use the external configuration.
      3. Use this to access OpenAM to create session and what the Session logs if CTS have issues, change some password to see if they succeed.

      Expected behaviour
      No error like when using OpenDJ (w/o productionMode)
      Current behaviour

      CTS may have permission issue. eg:

      ERROR: CTS Async: Task Processor Error: processing task
      CTS: Operation failed:
      Result Code: Unavailable Critical Extension
      Diagnostic Message: The request control with Object Identifier (OID) "" cannot be used due to insufficient access rights
      Matched DN:
      at org.forgerock.openam.cts.impl.LdapAdapter.delete(LdapAdapter.java:197)
      at org.forgerock.openam.sm.datalayer.impl.tasks.DeleteTask.performTask(DeleteTask.java:49) 

      Doing password change may have issues too due to lack of schema access.

      Work around

      Define the necessary ACIs manually

      Code analysis

      OpenAM assumes default ACI setting and then add the extra required ACI. So if we start from the harden state, missing ACI or conditions are not taken care of or listed in the docs.


          Issue Links



              peter.major Peter Major [X] (Inactive)
              chee-weng.chea C-Weng C
              1 Vote for this issue
              14 Start watching this issue