Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18070

Social authentication modules perform unindexed searches

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.3
    • None
    • authentication
    • Rank:
      1|i0552u:

      Description

      Bug description

      When using the social authentication module, the default account mapping implementation attempts to find the user based on the profile data in the user data store. What isn't really covered by the OOTB product is that this default lookup is done using the iplanet-am-user-alias-list attribute in DS.

      ERROR: Unexpected error occurred during search
      Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:220)
       at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.search(DJLDAPv3Repo.java:1360)
       at org.forgerock.openam.idm.IdRepoAuditor.search(IdRepoAuditor.java:256)
       at com.sun.identity.idm.server.IdServicesImpl.search(IdServicesImpl.java:1444)
       at com.sun.identity.idm.server.IdCachedServicesImpl.search(IdCachedServicesImpl.java:616)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:380)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:312)
       at org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider.searchUser(DefaultAccountProvider.java:82)
       at org.forgerock.openam.authentication.modules.oauth2.OAuthUtil.getUser(OAuthUtil.java:252)
       at org.forgerock.openam.authentication.modules.social.SocialAuthModuleHelper.userExistsInTheDataStore(SocialAuthModuleHelper.java:142)
       at org.forgerock.openam.authentication.modules.social.AbstractSocialAuthLoginModule.processOAuthTokenState(AbstractSocialAuthLoginModule.java:192)
       at org.forgerock.openam.authentication.modules.social.SocialAuthLoginModule.process(SocialAuthLoginModule.java:69)
       at org.forgerock.openam.authentication.modules.common.AbstractLoginModuleBinder.process(AbstractLoginModuleBinder.java:76)
      

      How to reproduce the issue

      • Set up Google authentication by going through the good old JATO social auth wizard steps
      • Attempt to log in with Google.
      • Verify the DS access logs to see the unindexed search made with the iplanet-am-user-alias-list attribute.
      Expected behaviour

      The product works with default configuration

      Current behaviour

      Once there are sufficient number of users in the system, social auth starts to break.

      Work around

      Create an equality index for the iplanet-am-user-alias-list attribute manually.

        Attachments

          Activity

            People

            Unassigned Unassigned
            peter.major.fr Peter Major
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: