Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8629

TransactionID control should not be sent when using 'Generic LDAP' datastore

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: idrepo
    • Labels:
    • Support Ticket IDs:

      Description

      After upgrading to OpenAM 13, the GenericLDAPv3 datastore sends a TransactionID control with all requests even though the TransactionID is an OpenDJ 3.0 specific extension. Most LDAP servers should ignore this control if they don't supported it, as it is specified as a non-critical control. However we have seen following possible result against certain directory servers:

      amAuthLDAP:03/10/2016 10:42:44:599 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94]
      WARNING: resultCode: Connect Error
      amAuthLDAP:03/10/2016 10:42:44:600 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94]
      WARNING: Cannot connect to [host2.example.com:389]
      org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163)
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124)
      at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.getMonitoredConnectionFactory(AbstractLoadBalancingAlgorithm.java:343)
      at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.access$100(AbstractLoadBalancingAlgorithm.java:59)
      at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm$MonitoredConnectionFactory.getConnection(AbstractLoadBalancingAlgorithm.java:88)
      at org.forgerock.opendj.ldap.LoadBalancer.getConnection(LoadBalancer.java:55)
      at org.forgerock.openam.ldap.LDAPAuthUtils.getAdminConnection(LDAPAuthUtils.java:459)
      at org.forgerock.openam.ldap.LDAPAuthUtils.searchForUser(LDAPAuthUtils.java:707)
      at org.forgerock.openam.ldap.LDAPAuthUtils.authenticateUser(LDAPAuthUtils.java:399)
      at com.sun.identity.authentication.modules.ldap.LDAP.process(LDAP.java:335)
      ...
      Caused by: org.forgerock.opendj.ldap.ConnectionException: Server Connection Closed: Heartbeat failed
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163)
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124)
      at org.forgerock.opendj.ldap.LDAPConnectionFactory$4.handleException(LDAPConnectionFactory.java:510)
      ... more
      Caused by: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: The request control with Object Identifier (OID) '1.3.6.1.4.1.36733.2.1.5.1' cannot be used due to insufficient access rights
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:155)
      ... 20 more

      amLoginModule:03/10/2016 10:42:44:604 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94]
      SETTING Failure Module name.... :LDAP

      Since there is already a distinction between 'Generic LDAPv3' and 'OpenDJ' datastore types (even though they use the same class), it would make sense for the transaction ID control to only be used when the type is specifically OpenDJ.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major
                Reporter:
                abel.hoxeng Abel Hoxeng
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: