Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11641

Unassigning a service to ActiveDirectory user will throw error=53


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 14.5.0, 14.1.2
    • Component/s: idrepo
    • Labels:
    • Sprint:
      AM Sustaining Sprint 42
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Unassigning a service to ActiveDirectory user will throw error=53

      How to reproduce the issue

      This issue will only appear after OPENAM-11349 fix.
      1. install OpenAM
      2. login to admin console
      3. from [Realms] menu, click [+ New Realm] and create a subrealm
      4. click subrealm you've just created
      5. select [Data Stores] -> delete "embedded" and click [New...]
      6. type in name and specify "Active Directory" as type
      7. create some user using [Subject] tab and assign some service (esp. dashboard)
      NOTE: user create/password modify will fail on non-SSL connection
      8. delete that service you assigned in step 7
      8-repro. you will see following exception in IdRepo

      DJLDAPv3Repo:08/28/2017 09:11:42:505 AM NZST: Thread[http-bio-18080-exec-4,5,main]: TransactionId[257cd76e-c0c6-4a83-a0fe-97eb47b03c25-2667]
      ERROR: An error occured while setting attributes for identity: testuser01
      org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: 000020B1: AtrErr: DSID-030F0D1E, #1:
              0: 000020B1: DSID-030F0D1E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90002 (objectGUID)
              at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:190)
              at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:124)
              at org.forgerock.opendj.grizzly.LdapClientFilter.setFinalResult(LdapClientFilter.java:86)
              at org.forgerock.opendj.grizzly.LdapClientFilter.handleRead(LdapClientFilter.java:324)
              at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
              at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
              at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
              at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
              at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
              at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
              at java.lang.Thread.run(Thread.java:748)
      Expected behaviour

      Unassiging a service from a user should not cause error.

      Current behaviour

      Unassiging a service from a user throws error described in the reproduction steps

      Work around


      Code analysis

      It looks like OpenDJ SDK 4.0 used in 14.x onward is returning superior objectclass's optional attribute as well and since parent ObjectClass of "forgerock-am-dashboard-service" is "top" and its required/optional attribute includes "objectGUID" which needs to be unique and write-once/atomic attribute, unassigning a service is throwing error.

              if (type.equals(IdType.USER)) {
                  Set<String> removeOCs = attrMap.get(OBJECT_CLASS_ATTR);
                  if (removeOCs != null) {
                      Schema dirSchema = getSchema();
                      Map<String, Set<String>> attrs = new ConcurrentSkipListMap<>(String.CASE_INSENSITIVE_ORDER);
                      for (String oc : removeOCs) {
                          try {
                              ObjectClass oc2 = dirSchema.getObjectClass(oc);
                              for (AttributeType optional : oc2.getOptionalAttributes()) {
                                  attrs.put(optional.getNameOrOid(), Collections.EMPTY_SET);
                              for (AttributeType required : oc2.getRequiredAttributes()) {
                                  attrs.put(required.getNameOrOid(), Collections.EMPTY_SET);
                          } catch (UnknownSchemaElementException usee) {
                              DEBUG.error("Unable to unassign " + serviceName + " service from identity: " + name, usee);
                              throw newIdRepoException(IdRepoErrorCode.UNABLE_GET_SERVICE_SCHEMA, serviceName);


          Issue Links



              • Assignee:
                sachiko Sachiko Wallace
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: