Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9482

The provided Access Control Instruction (ACI) target expression DN value "dc=openam,dc=forgerock,dc=org" is invalid.

    Details

    • Sprint:
      AM Sustaining Sprint 29, AM Sustaining Sprint 30, AM Sustaining Sprint 31, AM Sustaining Sprint 32
    • Story Points:
      1
    • Support Ticket IDs:

      Description

      While trying to upgrade from OpenAM 13 to OpenAM 13.5 using a customer 's test case, the following error has been encountered

      >>>> OpenDJ was successfully upgraded from version
      3.0.0.185acee3ba68d8da1782007eebacb3701dc996d6 to
      3.5.0.6c04f4cb5de809ea1b4e8deb12925396da89d841

      >>>> Performing post upgrade tasks

      Rebuilding index(es) '[member]' for base dn(s)
      '[dc=XXXX,dc=XXX]'.......................................... 100%

      >>>> Post upgrade tasks complete

      • See '/work/openam13.5.0-policies/openam11.0.3-conf/opends/logs/upgrade.log'
        for a detailed log of this operation
        amUpgrade:07/25/2016 08:27:33:933 AM SGT: Thread[localhost-startStop-1,5,main]: TransactionId[ec0fb511-29f9-4ba4-824f-c5ac686edc0f-0]
        ERROR: An error occurred while processing /WEB-INF/template/ldif/opendj/opendj_aci_lift_user_password_restriction.ldif
        org.forgerock.opendj.ldap.ConstraintViolationException: Invalid Attribute Syntax: An attempt to modify an aci attribute type in the entry "dc=XXXX,dc=XXX" failed because of the following reason: The provided Access Control Instruction (ACI) target expression DN value "dc=openam,dc=forgerock,dc=org" is invalid. The target expression DN value must be a descendant of the ACI entry DN "dc=XXX,dc=XXX", if no wild-card is specified in the target expression DN
        at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:166)
        at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:132)
        at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.modifyResult(LDAPClientFilter.java:301)
        at org.forgerock.opendj.io.LDAPReader.readModifyResult(LDAPReader.java:520)
        at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:555)
        at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:122)
        at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:72)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
        at java.lang.Thread.run(Thread.java:745)

      Notice that the dn "dc=openam,dc=forgerock,dc=org" was hardcorded in a 13.5.0.war file in the following 2 files

      #1. WEB-INF/template/ldif/opendj/opendj_aci_lift_user_password_restriction.ldif

      aci: (target="ldap:///dc=openam,dc=forgerock,dc=org")(targetattr != "userPassword")(version 3.0; acl "OpenSSO-FAM Services anonymous access"; deny (all) userdn = "ldap:///anyone";)
      

      #2. /WEB-INF/template/ldif/opendj/opendj_aci_remove_blanket_deny_all.ldif

      aci: (target="ldap:///dc=openam,dc=forgerock,dc=org")(targetattr = "*")(version 3.0; acl "OpenSSO-FAM Services anonymous access"; deny (all) userdn = "ldap:///anyone";)
      

      Workaround

      1. unjar OpenAM 13.5.0.war
      2. Rename the dc=openam,dc=forgerock,dc=org in these two files to dc=XXXX,dc=XXX
      3. jar OpenAM 13.5.0.war with these 2 modified files.
      4. use this modified 13.5.0.war file for upgrade

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                sam.phua Sam Phua
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                3 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: