Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13411

Policy Configuration in Primary LDAP Server behaves different when there is one entry compared to many


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.1.0, 14.1.1, 5.5.1, 6.0.0,,,, 6.5.0
    • Fix Version/s: 13.5.3, 6.5.0, 14.1.2, 6.0.1, 5.5.2
    • Component/s: policy
    • Labels:
    • Sprint:
      AM Sustaining Sprint 53, AM Sustaining Sprint 54
    • Story Points:
    • Needs QA verification:


      Bug description

      A)Documentation on PolicyService is not correct

      This is somewhat related to --OPENAM-12002-- where one have a localAM server prefix. The issue is that once this is done, this is not working correctly entirely when LDAPFIlterCondition used used.

      Assuming you have the Primary LDAP as "localamserver|localhost:11389 localhost:12389" the code tries to parse all the components with ":" and space and this ends up with 3 server. Imagine see-ing this OpenDJ-SDK logs

      Attempting reconnect to offline factory 'LDAPConnectionFactory(provider=`Grizzly, host='localamhost|localhost', port=11389, options=org.forgerock.util.Options@8f0728b)'

      which is a wrong hostname.


      When there is ONLY one ENTRY in Primary LDAP Service (it was easy to see on 13.5.x old legacy) but with the new ones they are in mutliple Text groups and so the above will fail


      B) When there is Multiple Entries like in OPENAM-12002, then all the Primary ldap need to be prefixed correctly with the OPENAM local server name (ie com.iplanet.am.server.host from each server respective Advance config). Otherwise the Policy configuration will not work.


      Problem statement:

      {{In short with one entry or multiple entries, the behaviour of the Primary LDAP server will change it behaviour. And this is error-prone. }}In fact the online help states:

      > Configuration directory server host:port that OpenAM searches for policy information.

      > Format: local server name | host name:port
      > Multiple entries must be prefixed by local server name.

      As you see if there is only one entry and if the user end the Format as above they will also issue where the first server will implicitly create a "local server name":389 LDAP listener !!!.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Goto the Service > Policy Configuration, set the Primary LDAP as "localamserver|localhost:11389 localhost:12389" (in one single typing before hitting Enter)
      2. Refer to -OPENAM-12002- as needed for background context
      3. Observe the logs & see failure


      Note that if you repeat the above and add a extra entry, "anotheramserver|ldap2:12389 ldap1:11389" then it seems things will work. Blame this on CollectionHelper.getServerMapAttr()


      Expected behaviour
      Th current behaviour may need to be either improved or documented properly. 
      Current behaviour
      Policy evaluation fails or if you are semi-lucky that the other space separated LDAP server in the list is used. It is rather confusing that it is error prone.

      Work around

      If localanserver is used in Policy Configuration LDAP server, It needs to really stressed that all every <localamserver> added (ie multple localamserver configuration) needs to be done. But if there is ONE line (cannot have the "AM | LDAP" format)


      Maybe as a prevention, if the result of the SERVER after CollectionHelper.getServerMapAttrs() in PolicyConfig contains "|" then we need to take a standard to use those the right side of "|" to maintain what old behaviour (if they ever was working before. Or complain and fail fast....


      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

      Line 509:
      String configuredLdapServer = (String) configParams.get(PolicyConfig.LDAP_SERVER);
      Now the thing is that the string for config iplanet-am-policy-config-ldap-server here returns : <localamhost>|localhost:11389 localhost:12389"
      if there is ONLY one server entry.




            • Assignee:
              lawrence.yarham Lawrence Yarham
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: