Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13350

Upgrade from 12.0.x to 6.0.0 - 6.0.0.4 fails with embedded user store

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4
    • 6.0.0.5, 6.5.0, 6.0.1
    • upgrade
    • AM Sustaining Sprint 55
    • 3
    • No
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      Upgrade from 12.0.x to 6.0.0.2 fails with embedded user store due to missing KBA Information from schema. KBA schema elements were not included in the default 12.x schema.

      How to reproduce the issue

      1. Deploy AM 12.0.x w/ embedded userstore
      2. Upgrade 12.0.x to AM 6.0.0.2 following upgrade guide to step 6: https://backstage.forgerock.com/docs/am/6/upgrade-guide/index.html#upgrade-server
      3. Upgrade fails after post DJ upgrade step:
      ...
      >>>> Post upgrade tasks complete
      
      * See '/Users/john.noble/AM_upgrade_conf/opends/logs/upgrade.log' for a
       detailed log of this operation
      amUpgrade:07/16/2018 03:23:25:661 PM BST: Thread[localhost-startStop-1,5,main]: TransactionId[75ef2a5b-8066-4ea2-a695-8aee62b25f6a-0]
      ERROR: An error occurred while processing /WEB-INF/template/ldif/opendj/opendj_add_kba_attempts.ldif
      Attribute or Value Exists: Entry cn=schema cannot be modified because it would have resulted in one or more duplicate values for attribute attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.7 NAME 'kbaInfoAttempts' DESC 'Knowledge Based Authentication Attempts information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:219)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:668)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:582)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.tryOnNextFastPath(DemultiplexerImpl.java:432)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.onNextAndOptionallyComplete(DemultiplexerImpl.java:392)
       at org.forgerock.opendj.ldap.DemultiplexerImpl.onNext(DemultiplexerImpl.java:162)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachSubscriber.onNext(FlowableDoOnEach.java:92)
       at io.reactivex.internal.operators.flowable.FlowableOnErrorNext$OnErrorNextSubscriber.onNext(FlowableOnErrorNext.java:69)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.tryOnNext(FlowableFilter.java:74)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.onNext(FlowableFilter.java:52)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachConditionalSubscriber.onNext(FlowableDoOnEach.java:231)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter$GrizzlyReader.handleRead(GrizzlyLdapSocketFilter.java:331)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter.handleRead(GrizzlyLdapSocketFilter.java:135)
       at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
       at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
       at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
       at org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:103)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:415)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:384)
       at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:348)
       at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:279)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
       at java.lang.Thread.run(Thread.java:745)
      amSetupServlet:07/16/2018 03:23:25:663 PM BST: Thread[localhost-startStop-1,5,main]: TransactionId[75ef2a5b-8066-4ea2-a695-8aee62b25f6a-0]
      ERROR: AMSetupServlet.checkConfigProperties
      java.lang.IllegalStateException: An error occurred while upgrading directory content
       at com.sun.identity.setup.BootstrapData.initSMS(BootstrapData.java:277)
       at com.sun.identity.setup.Bootstrap.getConfiguration(Bootstrap.java:179)
       at com.sun.identity.setup.Bootstrap.bootstrap(Bootstrap.java:162)
       at com.sun.identity.setup.Bootstrap.load(Bootstrap.java:146)
       at com.sun.identity.setup.AMSetupServlet.checkConfigProperties(AMSetupServlet.java:333)
       at com.sun.identity.setup.AMSetupServlet.init(AMSetupServlet.java:215)
       at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1269)
       at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
       at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
       at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
       at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
       at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
       at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
       at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
       at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
       at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)
       at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)
       at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
       at java.lang.Thread.run(Thread.java:745)
      Caused by: org.forgerock.openam.upgrade.UpgradeException: Attribute or Value Exists: Entry cn=schema cannot be modified because it would have resulted in one or more duplicate values for attribute attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.7 NAME 'kbaInfoAttempts' DESC 'Knowledge Based Authentication Attempts information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
       at org.forgerock.openam.upgrade.DirectoryContentUpgrader.processLDIF(DirectoryContentUpgrader.java:256)
       at org.forgerock.openam.upgrade.DirectoryContentUpgrader.upgrade(DirectoryContentUpgrader.java:281)
       at com.sun.identity.setup.BootstrapData.initSMS(BootstrapData.java:275)
       ... 21 more
      Caused by: Attribute or Value Exists: Entry cn=schema cannot be modified because it would have resulted in one or more duplicate values for attribute attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.7 NAME 'kbaInfoAttempts' DESC 'Knowledge Based Authentication Attempts information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:219)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:668)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:582)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.tryOnNextFastPath(DemultiplexerImpl.java:432)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.onNextAndOptionallyComplete(DemultiplexerImpl.java:392)
       at org.forgerock.opendj.ldap.DemultiplexerImpl.onNext(DemultiplexerImpl.java:162)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachSubscriber.onNext(FlowableDoOnEach.java:92)
       at io.reactivex.internal.operators.flowable.FlowableOnErrorNext$OnErrorNextSubscriber.onNext(FlowableOnErrorNext.java:69)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.tryOnNext(FlowableFilter.java:74)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.onNext(FlowableFilter.java:52)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachConditionalSubscriber.onNext(FlowableDoOnEach.java:231)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter$GrizzlyReader.handleRead(GrizzlyLdapSocketFilter.java:331)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter.handleRead(GrizzlyLdapSocketFilter.java:135)
       at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
       at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
       at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
       at org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:103)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:415)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:384)
       at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:348)
       at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:279)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
       ... 1 more
      
      Expected behaviour

      Upgrade should complete successfully

      Current behaviour

      The upgrade fails when trying to process opendj_add_kba_attempts.ldif, the first operation is an add:

      {add: attributeTypes
      attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.7 NAME 'kbaInfoAttempts' DESC 'Knowledge Based Authentication Attempts information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )}
      

      The problem is, if the upgrader previously detects that there is no KBA info in the schema, it will add it using the following ldif: opendj_kba.ldif

      #
      # Copyright 2015-2018 ForgeRock AS. All Rights Reserved
      #
      # Use of this code requires a commercial software license with ForgeRock AS.
      # or with one of its affiliates. All use shall be exclusively subject
      # to such license between the licensee and ForgeRock AS.
      #
      dn: cn=schema
      changetype: modify
      add: attributeTypes
      attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.5 NAME 'kbaInfo' DESC 'Knowledge Based Authentication information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
      -
      add: attributeTypes
      attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.6 NAME 'kbaActiveIndex' DESC 'Knowledge Based Authentication Active Index' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
      -
      add: attributeTypes
      attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.7 NAME 'kbaInfoAttempts' DESC 'Knowledge Based Authentication Attempts information is stored in this attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenAM' )
      -
      add: objectClasses
      objectClasses: ( 1.3.6.1.4.1.36733.2.2.2.5 NAME 'kbaInfoContainer' DESC 'Class containing KBA information' SUP top AUXILIARY MAY ( kbaInfo $ kbaActiveIndex $ kbaInfoAttempts ) X-ORIGIN 'OpenAM' )
      

      So when the upgrade comes to ldapmodify opendj_add_kba_attempts.ldif, it fails as the "kbaInfoAttempts" schema entry is already there. 

      Work around

      I was able to complete the upgrade by manually adding the kba elements to the schema before starting the upgrade, i.e.

      ./ldapmodify -p 50389 -D "cn=Directory Manager" -w password -f opendj_kba.ldif
      

      The opendj_kba.ldif I used was from the AM-6.0.0.2 war:

      /WEB-INF/template/ldif/opendj/opendj_kba.ldif 
      

      This causes the upgrade to skip AddKBAInformationSchema and AddKbaAttemptsSchema classes as the objectclass "kbaInfoContainer" and attribute "kbaInfoAttempts" is found. See code snippet below.

      Code analysis

      org.forgerock.openam.upgrade.$DirectoryContentUpgrader.java
          private class AddKBAInformationSchema implements Upgrader {
      
              @Override
              public String getLDIFPath() {
                  return "/WEB-INF/template/ldif/opendj/opendj_kba.ldif";
              }
      
              @Override
              public boolean isUpgradeNecessary(Connection conn, Schema schema) throws UpgradeException {
                  return !schema.hasObjectClass(KBA_INFO_OC);
              }
          }
      
          private class AddKbaAttemptsSchema implements Upgrader {
      
              @Override
              public String getLDIFPath() {
                  return "/WEB-INF/template/ldif/opendj/opendj_add_kba_attempts.ldif";
              }
      
              @Override
              public boolean isUpgradeNecessary(Connection conn, Schema schema) {
                  return !schema.hasAttributeType("kbaInfoAttempts");
              }
          }

      Probaby for AddKbaAttemptsSchema the following change may work (since opendj_kba.ldif
      contains all the new ones and for say 12.x (KBA_INFO_OC) does not exists and for upgrade
      KBA_INFO_OC exists: So this following fix may be worth a try:

              public boolean isUpgradeNecessary(Connection conn, Schema schema) {
                  return !schema.hasAttributeType("kbaInfoAttempts") && schema.hasObjectClass(KBA_INFO_OC);
              }
      

        Attachments

          Activity

            People

            chee-weng.chea C-Weng C
            john.noble John Noble
            Filip Kubáň [X] Filip Kubáň [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: