Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14333

am-config profile is unable to upgrade in production mode


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s:
    • Fix Version/s: None
    • Component/s: upgrade
    • Environment:
      DS External Configuration Store
    • Sprint:
      AM Sustaining Sprint 59, AM Sustaining Sprint 60
    • Story Points:
    • Support Ticket IDs:


      Bug description

      When installing AM using the AM-Profile and using Production Mode subsequent upgrades will fail. 

      The upgrade screen will grey out the upgrade button and the following error is reported:

      ERROR: Unable to read directory schema, the schema won't be upgraded
      No Results Returned: The entry ou=am-config does not include a subschemaSubentry attribute
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:246)
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:143)
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:112)
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:70)
      at org.forgerock.opendj.ldap.schema.SchemaBuilder.getSubschemaSubentryDn(SchemaBuilder.java:93)

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure a new DS server with am-config profile in production mode
      2. Configure AM to trust the Certificate, since AM will not allow tls connections from an untrusted connections
      3. Install and configure AM 6.5.0 to use this DJ as it's configuration store
      4. After install, test, then try to upgrade to
      Expected behaviour
      The upgrade would complete, am-config should have contained all aci/roles needed to upgrade a server
      Current behaviour
      upgrade will fail due to missing aci's 

      Work around

      Upgrade as Directory Manager or modify aci's


      (Optional) If you installed AM using an external directory server as the configuration store, add an access control instruction (ACI) to the external directory to give the AM administrative user server-side sorting privileges.

      The ACI should be similar to the following:
      aci: (targetcontrol="1.2.840.113556.1.4.473")(version 3.0;
      acl "Allow server-side sorting"; allow (read)
      (userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com")

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)



        1. debug.zip
          58 kB
        2. djlogs.zip
          12 kB

          Issue Links



              • Assignee:
                william.hepler William Hepler
              • Votes:
                0 Vote for this issue
                10 Start watching this issue


                • Created: