-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 6.5.0.1
-
Fix Version/s: None
-
Component/s: upgrade
-
Labels:
-
Environment:AM 6.5.0.0
DS 6.5.0.0 External Configuration Store
-
Sprint:AM Sustaining Sprint 59, AM Sustaining Sprint 60
-
Story Points:5
-
Support Ticket IDs:
Bug description
When installing AM using the AM-Profile and using Production Mode subsequent upgrades will fail.
The upgrade screen will grey out the upgrade button and the following error is reported:
ERROR: Unable to read directory schema, the schema won't be upgraded
No Results Returned: The entry ou=am-config does not include a subschemaSubentry attribute
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:246)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:143)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:112)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:70)
at org.forgerock.opendj.ldap.schema.SchemaBuilder.getSubschemaSubentryDn(SchemaBuilder.java:93)
How to reproduce the issue
Details steps outlining how to recreate the issue (remove this text)
- Configure a new DS server with am-config profile in production mode
https://backstage.forgerock.com/docs/ds/6.5/install-guide/#setup-profiles-am-config - Configure AM to trust the Certificate, since AM will not allow tls connections from an untrusted connections
- Install and configure AM 6.5.0 to use this DJ as it's configuration store
- After install, test, then try to upgrade to 6.5.0.1
Expected behaviour
The upgrade would complete, am-config should have contained all aci/roles needed to upgrade a server
Current behaviour
upgrade will fail due to missing aci's
Work around
Upgrade as Directory Manager or modify aci's
https://backstage.forgerock.com/docs/am/6.5/upgrade-guide/#upgrade-server
(Optional) If you installed AM using an external directory server as the configuration store, add an access control instruction (ACI) to the external directory to give the AM administrative user server-side sorting privileges.
The ACI should be similar to the following:
aci: (targetcontrol="1.2.840.113556.1.4.473")(version 3.0;
acl "Allow server-side sorting"; allow (read)
(userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com")
Code analysis
OPTIONAL - If you already investigated the code, please share your finding here (remove this text)
...
- is caused by
-
OPENDJ-6039 AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.
-
- Done
-
- is duplicated by
-
OPENAM-14475 Upgrading from AM 6.5 to AM 6.5.0.1 fails when AM 6.5 Config DJ was setup with --profile am-config
-
- Closed
-
- is related to
-
OPENAM-11398 OpenAM ACI installation instruction does not work for OpenDJ productionMode
-
- Closed
-