[OPENAM-11641] Unassigning a service to ActiveDirectory user will throw error=53 - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 14.5.0, 14.1.2
Component/s: idrepo
Labels:
- EDISON

Sprint:
AM Sustaining Sprint 42
Story Points:
3
Needs backport:

No

Support Ticket IDs:

Verified Version/s:

14.1.2
Needs QA verification:

Yes
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

Unassigning a service to ActiveDirectory user will throw error=53

How to reproduce the issue

This issue will only appear after ~~OPENAM-11349~~ fix.
1. install OpenAM
2. login to admin console
3. from [Realms] menu, click [+ New Realm] and create a subrealm
4. click subrealm you've just created
5. select [Data Stores] -> delete "embedded" and click [New...]
6. type in name and specify "Active Directory" as type
7. create some user using [Subject] tab and assign some service (esp. dashboard)
NOTE: user create/password modify will fail on non-SSL connection
8. delete that service you assigned in step 7
8-repro. you will see following exception in IdRepo

DJLDAPv3Repo:08/28/2017 09:11:42:505 AM NZST: Thread[http-bio-18080-exec-4,5,main]: TransactionId[257cd76e-c0c6-4a83-a0fe-97eb47b03c25-2667]
ERROR: An error occured while setting attributes for identity: testuser01
org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: 000020B1: AtrErr: DSID-030F0D1E, #1:
        0: 000020B1: DSID-030F0D1E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90002 (objectGUID)
^@
        at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:190)
        at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:124)
        at org.forgerock.opendj.grizzly.LdapClientFilter.setFinalResult(LdapClientFilter.java:86)
        at org.forgerock.opendj.grizzly.LdapClientFilter.handleRead(LdapClientFilter.java:324)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
        at java.lang.Thread.run(Thread.java:748)

Expected behaviour

Unassiging a service from a user should not cause error.

Current behaviour

Unassiging a service from a user throws error described in the reproduction steps

Work around

None.

Code analysis

It looks like OpenDJ SDK 4.0 used in 14.x onward is returning superior objectclass's optional attribute as well and since parent ObjectClass of "forgerock-am-dashboard-service" is "top" and its required/optional attribute includes "objectGUID" which needs to be unique and write-once/atomic attribute, unassigning a service is throwing error.

org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.java

        if (type.equals(IdType.USER)) {
            Set<String> removeOCs = attrMap.get(OBJECT_CLASS_ATTR);
            if (removeOCs != null) {
                Schema dirSchema = getSchema();
                Map<String, Set<String>> attrs = new ConcurrentSkipListMap<>(String.CASE_INSENSITIVE_ORDER);
                for (String oc : removeOCs) {
                    try {
                        ObjectClass oc2 = dirSchema.getObjectClass(oc);
                        for (AttributeType optional : oc2.getOptionalAttributes()) {
                            attrs.put(optional.getNameOrOid(), Collections.EMPTY_SET);
                        }
                        for (AttributeType required : oc2.getRequiredAttributes()) {
                            attrs.put(required.getNameOrOid(), Collections.EMPTY_SET);
                        }
                    } catch (UnknownSchemaElementException usee) {
                        DEBUG.error("Unable to unassign " + serviceName + " service from identity: " + name, usee);
                        throw newIdRepoException(IdRepoErrorCode.UNABLE_GET_SERVICE_SCHEMA, serviceName);
                    }
                }

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

TestDJSchema141.java
5 kB
29/Aug/17 10:34 PM

Issue Links

is related to

OPENAM-11349 Assigning a service to ActiveDirectory user will throw NPE

Closed

is required by

OPENAM-11349 Assigning a service to ActiveDirectory user will throw NPE

Closed

Unassigning a service to ActiveDirectory user will throw error=53

Details

Description

Bug description

How to reproduce the issue

Expected behaviour

Current behaviour

Work around

Code analysis

Attachments

Attachments

Issue Links

Activity

People

Dates