[OPENAM-12204] AM can not handle an arbitrary number of OIDC clients if external configuration data store is used - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.1
Fix Version/s: None
Component/s: configurator, OpenID Connect
Labels:
- Customer
- EDISON
Environment:
java version "1.8.0_111"
Apache Tomcat/8.5.4
AM 5.1.1

Target Version/s:

6.0.0

Sprint:
AM Sustaining Sprint 48
Needs backport:

No

Support Ticket IDs:

Needs QA verification:

No
Functional tests:

No
Are the reproduction steps defined?:

No (add reasons in the comment)

Description

Bug description

dynamic client registration of the 1001st client fails

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

configure AM with hardend DJ as external configuration data store, use non-RootDN as Bind-DN
configure OIDC provider
register more than 1000 OIDC clients dynamically (https://backstage.forgerock.com/docs/am/5.1/oidc1-guide/#register-openid-connect-client-dynamic)

Expected behaviour

It should be possible to register an arbitrary number of OIDC clients

Current behaviour

At some point registration fails with error

amAgentsRepo:12/11/2017 03:00:15:700 PM GMT: Thread[http-nio-8443-exec-17,5,main]: TransactionId[67b57446-9c6c-47c7-a62e-f173e62564dc-406366]
ERROR: AgentsRepo.create():Unable to create agents
SMSException Exception Code:5
Message:Unexpected LDAP exception occurred.
--------------------------------------------------
The lower level exception message
Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
The lower level exception:
org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client

Full stacktrace from AM 5.1.1

amAgentsRepo:12/11/2017 03:00:15:700 PM GMT: Thread[http-nio-8443-exec-17,5,main]: TransactionId[67b57446-9c6c-47c7-a62e-f173e62564dc-406366]
ERROR: AgentsRepo.create():Unable to create agents
SMSException Exception Code:5
Message:Unexpected LDAP exception occurred.
--------------------------------------------------
The lower level exception message
Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
The lower level exception:
org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:202)
at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:495)
at com.sun.identity.sm.ldap.SMSLdapObject.subEntries(SMSLdapObject.java:471)
at com.sun.identity.sm.SMSEntry.subEntries(SMSEntry.java:898)
at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:144)
at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:113)
at com.sun.identity.sm.ServiceConfigImpl.getSubConfigNames(ServiceConfigImpl.java:191)
at com.sun.identity.sm.ServiceConfig.getSubConfigNames(ServiceConfig.java:217)
at com.sun.identity.idm.plugins.internal.AgentsRepo.create(AgentsRepo.java:282)
at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
at org.forgerock.openidconnect.ClientDAO.create(ClientDAO.java:91)
at org.forgerock.openidconnect.OpenIdConnectClientRegistrationService.createRegistration(OpenIdConnectClientRegistrationService.java:571)
at org.forgerock.openidconnect.restlet.ConnectClientRegistration.createClient(ConnectClientRegistration.java:93)
at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
at org.restlet.resource.Finder.handle(Finder.java:236)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
at org.restlet.routing.Router.handle(Router.java:639)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
at org.restlet.routing.Router.handle(Router.java:639)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:92)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
at org.restlet.Application.handle(Application.java:385)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
at org.restlet.Component.handle(Component.java:408)
at org.restlet.Server.handle(Server.java:507)
at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:122)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:513)
at com.sun.identity.sm.ldap.SMSLdapObject.subEntries(SMSLdapObject.java:471)
at com.sun.identity.sm.SMSEntry.subEntries(SMSEntry.java:898)
at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:144)
at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:113)
at com.sun.identity.sm.ServiceConfigImpl.getSubConfigNames(ServiceConfigImpl.java:191)
at com.sun.identity.sm.ServiceConfig.getSubConfigNames(ServiceConfig.java:217)
at com.sun.identity.idm.plugins.internal.AgentsRepo.create(AgentsRepo.java:282)
at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
at org.forgerock.openidconnect.ClientDAO.create(ClientDAO.java:91)
at org.forgerock.openidconnect.OpenIdConnectClientRegistrationService.createRegistration(OpenIdConnectClientRegistrationService.java:571)
at org.forgerock.openidconnect.restlet.ConnectClientRegistration.createClient(ConnectClientRegistration.java:93)
at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
at org.restlet.resource.Finder.handle(Finder.java:236)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
at org.restlet.routing.Router.handle(Router.java:639)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
at org.restlet.routing.Router.handle(Router.java:639)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:92)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
at org.restlet.Application.handle(Application.java:385)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
at org.restlet.Component.handle(Component.java:408)
at org.restlet.Server.handle(Server.java:507)
at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:122)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:202)
at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:495)
... 114 more
{noformat)

Work around

configure Bind-DN specific resource limits, i.e. ds-rlim-size-limit

see https://backstage.forgerock.com/docs/ds/5.5/admin-guide/#limit-search-resources

Code analysis

com.sun.identity.sm.CachedSubEntries.java

    public Set<String> getSubEntries(SSOToken token, String pattern)
            throws SMSException, SSOException {
        if (debug.messageEnabled()) {
            debug.message("CachedSubEntries: reading sub-entries DN: " + 
               cachedEntry.getDN() + " pattern: " + pattern);
        }
        return cachedEntry.getSMSEntry().subEntries(token, pattern, 0, false, true);
    }

does set '0' as sizelimit

this ends up in

com.sun.identity.sm.ldap.SMSLdapObject.java

    private SearchRequest getSearchRequest(String dn, String filter, SearchScope scope, int numOfEntries, int timeLimit,
            boolean sortResults, boolean ascendingOrder, String sortAttribute, String... attributes) {
        SearchRequest request = LDAPRequests.newSearchRequest(dn, scope, filter, attributes)
                .setDereferenceAliasesPolicy(DereferenceAliasesPolicy.NEVER)
                .setTimeLimit(timeLimit);
        if (numOfEntries > 0) {
            request.setSizeLimit(numOfEntries);
        }
        if (sortResults) {
            SortKey sortKey = new SortKey(sortAttribute, !ascendingOrder);
            request.addControl(ServerSideSortRequestControl.newControl(true, sortKey));
        }
        return request;
    }

...

    private Set<String> getSubEntries(SSOToken token, String dn, String filter,
            int numOfEntries, boolean sortResults, boolean ascendingOrder)
            throws SMSException, SSOException {
        SearchRequest request = getSearchRequest(dn, filter, SearchScope.SINGLE_LEVEL, numOfEntries, 0, sortResults,
                ascendingOrder, getNamingAttribute(), O_ATTR);
        int retry = 0;

        Set<String> answer = new LinkedHashSet<>();
        ConnectionEntryReader results;
        while (retry <= connNumRetry) {
            debug.message("SMSLdapObject.subEntries() retry: {}", retry);

            try (Connection conn = getConnection(token.getPrincipal())) {
                // Get the sub entries
                ConnectionEntryReader iterResults = conn.search(request);
                iterResults.hasNext();
                results = iterResults;
                // Construct the results and return
                try {
                    while (results != null && results.hasNext()) {
                        try {
                            if (results.isReference()) {
                                debug.warning("Skipping reference result: {}", results.readReference());
                                continue;
                            }
                            SearchResultEntry entry = results.readEntry();
                            // Check if the attribute starts with "ou="
                            // Workaround for 3823, where (objectClass=*) is used
                            if (entry.getName().toString().toLowerCase().startsWith("ou=")) {
                                answer.add(entry.getName().rdn().getFirstAva().getAttributeValue().toString());
                            }
                        } catch (SearchResultReferenceIOException e) {
                            debug.error("SMSLdapObject.subEntries: Reference should be handled already for dn {}", dn, e);
                        }
                    }
                } catch (LdapException e) {
                    debug.warning("SMSLdapObject.subEntries: Error in obtaining sub-entries: {}", dn, e);
                    throw new SMSException(e, "sms-entry-cannot-obtain");
                }
                break;
            } catch (LdapException e) {
                ResultCode errorCode = e.getResult().getResultCode();
                if (errorCode.equals(ResultCode.NO_SUCH_OBJECT)) {
                    debug.message("SMSLdapObject.subEntries(): entry not present: {}", dn);
                    break;
                }
                if (!retryErrorCodes.contains(errorCode) || retry >= connNumRetry) {
                    debug.warning("SMSLdapObject.subEntries: Unable to search for sub-entries: {}", dn, e);
                    throw new SMSException(e, "sms-entry-cannot-search");
                }
                retry++;
                try {
                    Thread.sleep(connRetryInterval);
                } catch (InterruptedException ex) {
                    // ignored
                }
            }
        }
        debug.message("SMSLdapObject.subEntries: Successfully obtained sub-entries for {}", dn);
        return answer;
    }

The sizelimit error is not handled nicely, shouldn't it use Simple Paged Result Control (https://backstage.forgerock.com/docs/ds/5.5/reference/#chap-controls) to read data in that case?

AM can not handle an arbitrary number of OIDC clients if external configuration data store is used

Details

Description

Bug description

How to reproduce the issue

Expected behaviour

Current behaviour

Work around

Code analysis

Attachments

Activity

People

Dates