Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11398

OpenAM ACI installation instruction does not work for OpenDJ productionMode

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.1.0
    • Fix Version/s: 6.0.0, 5.5.2
    • Component/s: CTS
    • Labels:
    • Environment:
      external OpenDJ for CTS/Config with OpenDJ --productionMode
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The installation guide provides the setting required for ACI to the OpenDJ.
      However the issue is that on OpenDJ 5.x nowadays there is an option called --productionMode (which is a hardened configuration). The issue
      is that if this is enabled, a lot of things will break in OpenAM as there will be missing ACI not granted to the non-root binding user.
      Also it's possible also that user login for password-policy control may not be there as it is also not there by default.

      How to reproduce the issue

      1. Install OpenDJ in productionMode
      2. Install OpenAM to use the external configuration.
      3. Use this to access OpenAM to create session and what the Session logs if CTS have issues, change some password to see if they succeed.

      Expected behaviour
      No error like when using OpenDJ (w/o productionMode)
      
      Current behaviour

      CTS may have permission issue. eg:

      ERROR: CTS Async: Task Processor Error: processing task
      org.forgerock.openam.sm.datalayer.api.LdapOperationFailedException:
      CTS: Operation failed:
      Result Code: Unavailable Critical Extension
      Diagnostic Message: The request control with Object Identifier (OID) "1.3.6.1.1.12" cannot be used due to insufficient access rights
      Matched DN:
      at org.forgerock.openam.cts.impl.LdapAdapter.delete(LdapAdapter.java:197)
      at org.forgerock.openam.sm.datalayer.impl.tasks.DeleteTask.performTask(DeleteTask.java:49) 
      

      Doing password change may have issues too due to lack of schema access.

      Work around

      Define the necessary ACIs manually

      Code analysis

      OpenAM assumes default ACI setting and then add the extra required ACI. So if we start from the harden state, missing ACI or conditions are not taken care of or listed in the docs.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                1 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: