Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13573

Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures

    Details

    • Sprint:
      AM Sustaining Sprint 55
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      The Ldap module and LdapDecisionNode make calls to the LdapAuthUtils.changePassword  method  in a change password flow.

      If there are multiple concurrent calls then updates may fail with error as below:

       

      amAuthLDAP:09/12/2018 01:31:47:272 PM GMT: Thread[http-bio-10.0.0.7-8080-exec-247,5,main]: TransactionId[743b0898-31f8-4a43-b30f-e30784c19ef5-591963]
      WARNING: Cannot update :
      Invalid Credentials
              at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:193)

       

      _Corresponding DS log  "_cannot be modified due to insufficient access rights" message

       

      {"eventName":"DJ-LDAP","client":{"ip":"10.0.0.82","port":35768},"server":{"ip":"10.0.0.64","port":1389},"request":{"protocol":"LDAP","operation":"MODIFY","connId":368686,"msgId":731,"dn":"uid=2b12d267-658b-4c89-8f39-5138f7b8f639,ou=People,dc=test,dc=comz"},"transactionId":"6d7e2eec-37d9-4fc2-8792-fa72e30449f6-10236114","response":{"status":"FAILED","statusCode":"50","elapsedTime":0,"elapsedTimeUnits":"MILLISECONDS","detail":"The entry uid=2b12d267-658b-4c89-8f39-5138f7b8f639ou=People,dc=test,dc=comz" cannot be modified due to insufficient access rights"},"timestamp":"2018-09-12T00:55:42.805Z","_id":"6d7e2eec-37d9-4fc2-8792-fa72e30449f6-10236116"}
       

      Reproduction steps to follow..

       
      Expected behaviour
      Password changes
      Current behaviour
      Fails: In DS logs The entry uid=2...ou=People,dc=test,dc=com" cannot be modified due to insufficient access rights"

      Work around

      Directly modify Password via DS calls.

       

      Code analysis

      Same root cause as https://bugster.forgerock.org/jira/browse/OPENAM-13183

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: