Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12071

Error during upgrade with unindex search from UpgradeUtils.deleteService()


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.5.1
    • Fix Version/s: 13.5.2, 6.0.0, 5.5.2
    • Component/s: upgrade
    • Labels:
    • Sprint:
      AM Sustaining Sprint 44, AM Sustaining Sprint 45
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Error during upgrade with unindex search from UpgradeUtils.deleteService()

      How to reproduce the issue

      1. install 13.5.0 with external config store and user datastore sharing same OpenDJ.
      NOTE: use admin user other than cn=Directory Manager to connect to OpenDJ
      2. create large number of user entries
      3. upgrade to 5.5.1

      Expected behaviour

      Upgrade should be successful without any error

      Current behaviour

      Upgrade fails with "The user does not have permission to perform the operation"

      If you check amUpgrade :

      amUpgrade:11/02/2017 10:22:56:973 AM GMT: Thread[http-nio-8443-exec-1,5,main]: TransactionId[570af67f-b59b-411c-bdd4-ba72bfa4c576-61]
      ERROR: UpgradeUtils:deleteService : The user does not have permission to perform the operation.
      amUpgrade:11/02/2017 10:22:56:986 AM GMT: Thread[http-nio-8443-exec-1,5,main]: TransactionId[570af67f-b59b-411c-bdd4-ba72bfa4c576-61]
      ERROR: Error occured while upgrading OpenAM
      org.forgerock.openam.upgrade.UpgradeException: The user does not have permission to perform the operation.
              at org.forgerock.openam.upgrade.UpgradeUtils.deleteService(UpgradeUtils.java:606)
              at org.forgerock.openam.upgrade.steps.UpgradeServiceSchemaStep.perform(UpgradeServiceSchemaStep.java:247)
              at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:153)
              at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:68)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      If you check Configuration debug log :

      amSMSLdap:11/02/2017 10:22:56:969 AM GMT: Thread[http-nio-8443-exec-1,5,main]: TransactionId[570af67f-b59b-411c-bdd4-ba72bfa4c576-61]
      WARNING: SMSLdapObject.search(): LDAP exception in search for filter match: (&(objectclass=top)(ou=sunCoreTokenStoreService))
      org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search
              at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:169)
              at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
              at com.sun.identity.sm.ldap.SMSLdapObject.searchObjects(SMSLdapObject.java:718)
              at com.sun.identity.sm.ldap.SMSLdapObject.search(SMSLdapObject.java:666)
              at com.sun.identity.sm.SMSEntry.search(SMSEntry.java:980)
              at com.sun.identity.sm.ServiceManager.removeService(ServiceManager.java:727)
              at org.forgerock.openam.upgrade.UpgradeUtils.deleteService(UpgradeUtils.java:599)
              at org.forgerock.openam.upgrade.steps.UpgradeServiceSchemaStep.perform(UpgradeServiceSchemaStep.java:247)
              at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:153)

      Work around

      Use cn=Directory Manager for config datastore setting.

      Code analysis

      ServiceManager.removeService() will try to look for service schema using base DN rather than ou=service + base DN.

          public void removeService(String serviceName, String version)
                  throws SMSException, SSOException {
              // Find all service entries that have the DN
              // Search for (&(ou=<serviceName>)(objectclass=top))
              // construct the rdn with the given version, look for the entry
              // in iDS and if entry exists(service with that version), delete.
              if (serviceName.equalsIgnoreCase(IdConstants.REPO_SERVICE) ||
                  serviceName.equalsIgnoreCase(ISAuthConstants.AUTH_SERVICE_NAME)) {
                  Object args[] = { serviceName };
                  throw (new SMSException(IUMSConstants.UMS_BUNDLE_NAME,
                          "sms-SERVICE_CORE_CANNOT_DELETE", args));
              String[] objs = { serviceName };
              Iterator results = SMSEntry.search(token, SMSEntry.baseDN,
                  MessageFormat.format(SMSEntry.FILTER_PATTERN, (Object[])objs),

      Instead of using SMSEntry.baseDN, use local variable serviceDN.




            • Assignee:
              sachiko Sachiko Wallace
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              7 Start watching this issue


              • Created: