Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14895

user identity creation fails with "Identity ***" of type user not found.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 6.5.0, 6.5.0.1, 6.5.1, 6.5.0.2
    • Fix Version/s: None
    • Component/s: console, rest
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_201-b09
      Apache Tomcat/9.0.8
      AM 6.5.1
    • Sprint:
      AM Sustaining Sprint 63, AM Sustaining Sprint 64
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      Adding a user identity subject via AM fails with error, but related entry is created in LDAP identity repository.

      How to reproduce the issue

      1. Configure FS DS instance 1 with sample some entries
      2. Configure FR DS instance 2
      3. Configure replication between DS 1 and DS 2
      4. Configure HA proxy to perform round - robin distribution (see sample config attached)
      5. Configure AM with embedded identity repository
      6. Create sub-realm
      7. Remove embedded identity repository from sub-realm
      8. Configure external identity repository using VIP of HA proxy
      9. Set "LDAP Connection Pool Minimum Size" to 2, set 'LDAP Connection Pool Maximum Size' to 2; disable heartbeat so access logs are not polluted
      10. Monitor established connection to HA proxy so you see 2 connections
      11. Add new user identity
      Expected behaviour
      user identity should be created without error
      
      Current behaviour
      request fails with error message (see attached screen video), but entry is created in LDAP directory server
      

      Exception see on AM:

      Message:Identity xxxxx of type user not found.
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2622)
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2568)
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2555)
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:877)
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:824)
          at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:804)
          at org.forgerock.openam.idm.IdRepoAuditor.lambda$create$6(IdRepoAuditor.java:193)
          at org.forgerock.openam.idm.IdRepoAuditor.callAndAudit(IdRepoAuditor.java:390)
          at org.forgerock.openam.idm.IdRepoAuditor.create(IdRepoAuditor.java:196)
          at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:429)
          at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
          at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.create(IdentityServicesImpl.java:163)
      

      Work around

      don't use a round robin loadbalancing algorithm (or a loadbalancer at all)

      use AM connection strings if possible

      Code analysis

      org.forgerock.openam.idm.IdRepoAuditor.java
      This class performs 'read' after 'create' or 'read' after 'write' operations which are known to fail in replicated environments if TCP/LDAP connection can not be stick to a specific DS instance.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: