Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13308

LdapDecisionNode fails when Return UserDN to Datastore is set to false

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 53
    • 2

      Description

      Bug description

      When using LDAP Decision node and setting " Return UserDN to Datastore " to false
      authentication will fail to work'. The exception seen in Authentication is

      Caused by: org.forgerock.i18n.LocalizedIllegalArgumentException: The provided value "demo" could not be parsed as a valid distinguished name because the last non-space character was part of the attribute name 'demo'
              at org.forgerock.opendj.ldap.Ava.decode(Ava.java:129)
              at org.forgerock.opendj.ldap.Rdn.decode(Rdn.java:183)
              at org.forgerock.opendj.ldap.Dn.decode(Dn.java:269)
              at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:242)
              at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:211)
              at org.forgerock.openam.auth.nodes.LdapDecisionNode.getUserNameFromIdentity(LdapDecisionNode.java:688)
              at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:284)
              at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
              ... 89 more
      (END)
      

      How to reproduce the issue

      1. Setup a LdapDecisionTreeNode
      2. Check it works (for ReturnUserDN set to true)
      3. Set ReturnUserDN to false and try login again
      Expected behaviour
      Work when Return UserDN to false.
      
      Current behaviour
      Caused by: org.forgerock.i18n.LocalizedIllegalArgumentException: The provided value "demo" could not be parsed as a valid distinguished name because the last non-space character was part of the attribute name 'demo'
              at org.forgerock.opendj.ldap.Ava.decode(Ava.java:129)
              at org.forgerock.opendj.ldap.Rdn.decode(Rdn.java:183)
              at org.forgerock.opendj.ldap.Dn.decode(Dn.java:269)
              at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:242)
              at org.forgerock.opendj.ldap.Dn.valueOf(Dn.java:211)
              at org.forgerock.openam.auth.nodes.LdapDecisionNode.getUserNameFromIdentity(LdapDecisionNode.java:688)
              at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:284)
              at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
              ... 89 more
      (END)
      

      and authentication fails

      Work around

      Make sure Return UserDN to DataStore to true

      Code analysis

      org.forgerock.openam.auth.nodes.LdapDecisionNode.getUserNameFromIdent
      ity
      
      is passed normal user name "demo" and it is treated as an LDAP dn in that code.
      So if returnDN to Datastore is set to false. Maybe this need not do those
      
      

        Attachments

          Activity

            People

            lawrence.yarham Lawrence Yarham
            chee-weng.chea C-Weng C
            Filip Kubáň [X] Filip Kubáň [X] (Inactive)
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: