Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12985

debug log files are swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1
    • Fix Version/s: 6.5.0
    • Component/s: other
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151
      Apache Tomcat 8.0.48
      AM 5.5.1
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 54, AM Sustaining Sprint 55
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      AM debug logs are swamped with error messages and stacktraces for ERROR: LDAPUtils.isDN: Invalid DN

      How to reproduce the issue

      1. Configure AM
      2. Use a different IdRepo implementation but LDAP, so that there are no DNs
      3. Use a group name which includes non-compliant characters
      4. Perform operations that checks memberships for the user identity subject
      Expected behaviour
      No error should occur, AM should not rely on Distinguished Names internally as the IdRepo API is pluggable and all kind of repositories could be used.
      
      Current behaviour

      e.g. the debug log shows

      LDAPUtils:04/24/2018 10:30:28:345 AM CEST: Thread[http-nio-8080-exec-10,5,main]: TransactionId[de704b1a-8781-45eb-a685-a180c4889d1b-5432]
      ERROR: LDAPUtils.isDN: Invalid DN
      org.forgerock.i18n.LocalizedIllegalArgumentException: The provided value "ADMIN_ACCOUNT_PERMISSIONS" could not be parsed as a valid distinguished name because character '_' at position 5 is not allowed in an attribute name
      	at org.forgerock.opendj.ldap.Ava.illegalCharacter(Ava.java:233)
      	at org.forgerock.opendj.ldap.Ava.readAttributeName(Ava.java:218)
      	at org.forgerock.opendj.ldap.Ava.decode(Ava.java:117)
      	at org.forgerock.opendj.ldap.Rdn.decode(Rdn.java:179)
      	at org.forgerock.opendj.ldap.Dn.decode(Dn.java:272)
      	at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:245)
      	at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:214)
      	at org.forgerock.openam.ldap.LDAPUtils.newDN(LDAPUtils.java:697)
      	at org.forgerock.openam.ldap.LDAPUtils.isDN(LDAPUtils.java:640)
      	at com.sun.identity.common.DNUtils.DNtoName(DNUtils.java:74)
      	at com.sun.identity.idm.server.IdServicesImpl.combineMembers(IdServicesImpl.java:2467)
      	at com.sun.identity.idm.server.IdServicesImpl.getMemberships(IdServicesImpl.java:994)
      	at com.sun.identity.idm.AMIdentity.getMemberships(AMIdentity.java:1184)
      	at com.sun.identity.console.idm.model.EntitiesModelImpl.getMembership(EntitiesModelImpl.java:999)
      	at com.sun.identity.console.idm.EntityMembershipViewBean.getMemberships(EntityMembershipViewBean.java:104)
      	at com.sun.identity.console.idm.EntityMembershipViewBean.beginDisplay(EntityMembershipViewBean.java:85)
      	at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
      	at org.apache.jsp.console.idm.EntityMembership_jsp._jspService(EntityMembership_jsp.java:171)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
      	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
      	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:716)
      	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466)
      	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391)
      	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318)
      	at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
      	at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
      	at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:152)
      	at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:113)
      	at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:229)
      	at com.sun.identity.console.base.AMViewBeanBase.handleGRequest(AMViewBeanBase.java:627)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
      	at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
      	at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
      	at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:633)
      	at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
      	at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      	at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.forgerock.openam.audit.servlet.AuditAccessServletFilter.doFilter(AuditAccessServletFilter.java:54)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      

      Code analysis (AM 5.5.1)

      As the value is returned no matter if an exception occurs

      com.sun.identity.common.DNUtils.java
          public static String DNtoName(String dn) {
              if (StringUtils.isNotEmpty(dn) && LDAPUtils.isDN(dn)) {
                  try {
                      return rdnValueFromDn(Dn.valueOf(dn));
                  } catch (LocalizedIllegalArgumentException e) {
                      DEBUG.error("DNUtils.isDN: Invalid DN {}", dn, e);
                  }
              }
              return dn;
          }
      

      should be changed to

          public static String DNtoName(String dn) {
              if (StringUtils.isNotEmpty(dn) && LDAPUtils.isDN(dn)) {
                  try {
                      return rdnValueFromDn(Dn.valueOf(dn));
                  } catch (LocalizedIllegalArgumentException e) {
                      DEBUG.warning("DNUtils.isDN: Invalid DN {}", dn, e);
                  }
              }
              return dn;
          }
      

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: