-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.0
-
Component/s: upgrade
While trying to upgrade from OpenAM 13 to OpenAM 13.5 using a customer 's test case, the following error has been encountered
>>>> OpenDJ was successfully upgraded from version
3.0.0.185acee3ba68d8da1782007eebacb3701dc996d6 to
3.5.0.6c04f4cb5de809ea1b4e8deb12925396da89d841
>>>> Performing post upgrade tasks
Rebuilding index(es) '[member]' for base dn(s)
'[dc=XXXX,dc=XXX]'.......................................... 100%
>>>> Post upgrade tasks complete
- See '/work/openam13.5.0-policies/openam11.0.3-conf/opends/logs/upgrade.log'
for a detailed log of this operation
amUpgrade:07/25/2016 08:27:33:933 AM SGT: Thread[localhost-startStop-1,5,main]: TransactionId[ec0fb511-29f9-4ba4-824f-c5ac686edc0f-0]
ERROR: An error occurred while processing /WEB-INF/template/ldif/opendj/opendj_aci_lift_user_password_restriction.ldif
org.forgerock.opendj.ldap.ConstraintViolationException: Invalid Attribute Syntax: An attempt to modify an aci attribute type in the entry "dc=XXXX,dc=XXX" failed because of the following reason: The provided Access Control Instruction (ACI) target expression DN value "dc=openam,dc=forgerock,dc=org" is invalid. The target expression DN value must be a descendant of the ACI entry DN "dc=XXX,dc=XXX", if no wild-card is specified in the target expression DN
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:166)
at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:132)
at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.modifyResult(LDAPClientFilter.java:301)
at org.forgerock.opendj.io.LDAPReader.readModifyResult(LDAPReader.java:520)
at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:555)
at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:122)
at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:72)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
at java.lang.Thread.run(Thread.java:745)
Notice that the dn "dc=openam,dc=forgerock,dc=org" was hardcorded in a 13.5.0.war file in the following 2 files
#1. WEB-INF/template/ldif/opendj/opendj_aci_lift_user_password_restriction.ldif
aci: (target="ldap:///dc=openam,dc=forgerock,dc=org")(targetattr != "userPassword")(version 3.0; acl "OpenSSO-FAM Services anonymous access"; deny (all) userdn = "ldap:///anyone";)
#2. /WEB-INF/template/ldif/opendj/opendj_aci_remove_blanket_deny_all.ldif
aci: (target="ldap:///dc=openam,dc=forgerock,dc=org")(targetattr = "*")(version 3.0; acl "OpenSSO-FAM Services anonymous access"; deny (all) userdn = "ldap:///anyone";)
Workaround
1. unjar OpenAM 13.5.0.war
2. Rename the dc=openam,dc=forgerock,dc=org in these two files to dc=XXXX,dc=XXX
3. jar OpenAM 13.5.0.war with these 2 modified files.
4. use this modified 13.5.0.war file for upgrade
- is duplicated by
-
OPENAM-9767 OpenAM upgrade fails when embedded configuration store suffix is not dc=openam,dc=forgerock,dc=org
-
- Resolved
-