[OPENAM-14333] am-config profile is unable to upgrade in production mode - ForgeRock JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 6.5.0.1
Fix Version/s: None
Component/s: upgrade
Labels:
- EDISON
- UPGRADE
- configuration
- profile
Environment:
AM 6.5.0.0
DS 6.5.0.0 External Configuration Store

Sprint:
AM Sustaining Sprint 59, AM Sustaining Sprint 60
Story Points:
5

Support Ticket IDs:

Description

Bug description

When installing AM using the AM-Profile and using Production Mode subsequent upgrades will fail.

The upgrade screen will grey out the upgrade button and the following error is reported:

ERROR: Unable to read directory schema, the schema won't be upgraded
No Results Returned: The entry ou=am-config does not include a subschemaSubentry attribute
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:246)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:143)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:112)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:70)
at org.forgerock.opendj.ldap.schema.SchemaBuilder.getSubschemaSubentryDn(SchemaBuilder.java:93)

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

Configure a new DS server with am-config profile in production mode
https://backstage.forgerock.com/docs/ds/6.5/install-guide/#setup-profiles-am-config
Configure AM to trust the Certificate, since AM will not allow tls connections from an untrusted connections
Install and configure AM 6.5.0 to use this DJ as it's configuration store
After install, test, then try to upgrade to 6.5.0.1

Expected behaviour

The upgrade would complete, am-config should have contained all aci/roles needed to upgrade a server

Current behaviour

upgrade will fail due to missing aci's

Work around

Upgrade as Directory Manager or modify aci's

https://backstage.forgerock.com/docs/am/6.5/upgrade-guide/#upgrade-server

(Optional) If you installed AM using an external directory server as the configuration store, add an access control instruction (ACI) to the external directory to give the AM administrative user server-side sorting privileges.

The ACI should be similar to the following:

aci: (targetcontrol="1.2.840.113556.1.4.473")(version 3.0;
acl "Allow server-side sorting"; allow (read)
(userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com")

Code analysis

OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

org.forgerock.$className.java

...

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

debug.zip
58 kB
28/Jan/19 9:39 PM
djlogs.zip
12 kB
28/Jan/19 9:39 PM

Issue Links

is caused by

OPENDJ-6039 AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.

Done

is duplicated by

OPENAM-14475 Upgrading from AM 6.5 to AM 6.5.0.1 fails when AM 6.5 Config DJ was setup with --profile am-config

Closed

is related to

OPENAM-11398 OpenAM ACI installation instruction does not work for OpenDJ productionMode

Closed

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:

Unassigned

Reporter:

William Hepler

Votes:

0 Vote for this issue

Watchers:

10 Start watching this issue

Dates

Created:

28/Jan/19 4:57 PM

Updated:

07/Mar/19 5:15 PM

Resolved:

07/Mar/19 2:50 PM