Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5613

PROXY returns error 50 (insufficient access rights) for AM internal searchs

    Details

    • Type: Bug
    • Status: Done
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.5.0
    • Component/s: proxy
    • Labels:
      None
    • Story Points:
      1

      Description

      Description

      AM performs LDAP searchs against CTS.
      If AM is directly connected to CTS instance, all is working fine.
      If AM is connected to PROXY, PROXY instance logs search error with status 50.

       

      $ ldapsearch -p 1393 -h localhost -D "uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens" -w "secret12" -J 1.3.6.1.4.1.36733.2.1.5.1 -C ps:add:true:true -s sub -b "ou=famrecords,ou=openam-session,ou=tokens" "(&(coreTokenType=NOTIFICATION)(objectClass=frCoreToken))" coreTokenObject dn
      # The LDAP search request failed: 50 (Insufficient Access Rights)
      

      seems to be a proxy configuration issue

      Topology

      AM -> DJ PROXY -> CTS instances

      https://wikis.forgerock.org/confluence/display/QA/CTS+proxy+distribution#CTSproxydistribution-Topology

      Ldap ports

      • PROXY : 1393
      • CTS : 1389

      Scenario

      • Deploy and setup instances (CTS, PROXY and AM)
      • Tail -f PROXY log
      • no need to run gatling nor connect to AM GUI to see errors

      AM connected to PROXY

      Using transactionId, there is no information related to the PROXY operation in CTS instance

      List of requests with status code 50  

      dn":"ou=famrecords,ou=openam-session,ou=tokens"
      "scope":"sub"
      "filter":"(&(coreTokenMultiString01=17ea61de-42a2-4b83-a1c0-df2105084526)(objectClass=frCoreToken))"
      "attrs":["coreTokenString05","dn"]}
      

       

      "dn":"ou=famrecords,ou=openam-session,ou=tokens"
      "scope":"sub"
      "filter":"(&(coreTokenType=NOTIFICATION)(objectClass=frCoreToken))"
      "attrs":["coreTokenObject","dn"]
      

      Proxy log :

      bind (connId 4)

      {"eventName":"DJ-LDAP","client":{"ip":"172.16.204.55","port":48770},"server":{"ip":"172.16.204.55","port":1393},"request":{"protocol":"LDAP","operation":"BIND","connId":4,"msgId":1,"version":"3","dn":"uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens","authType":"SIMPLE"},"transactionId":"fa89b40c-bca5-44d0-80cc-fd2917471c86-38","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":3257014,"elapsedTimeUnits":"NANOSECONDS"},"userId":"uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens","timestamp":"2018-10-24T08:05:39.649Z","_id":"fa89b40c-bca5-44d0-80cc-fd2917471c86-42"} 
      

      search with status 50  (connId 4)

      {"eventName":"DJ-LDAP","client":{"ip":"172.16.204.55","port":48770},"server":{"ip":"172.16.204.55","port":1393},"request":{"protocol":"LDAP","operation":"SEARCH","connId":4,"msgId":3,"dn":"ou=famrecords,ou=openam-session,ou=tokens","scope":"sub","filter":"(&(coreTokenType=NOTIFICATION)(objectClass=frCoreToken))","attrs":["coreTokenObject","dn"]},"transactionId":"fa89b40c-bca5-44d0-80cc-fd2917471c86-48","response":{"status":"FAILED","statusCode":"50","elapsedTime":348321,"elapsedTimeUnits":"NANOSECONDS","nentries":0},"timestamp":"2018-10-24T08:05:39.671Z","_id":"fa89b40c-bca5-44d0-80cc-fd2917471c86-52"}

      AM connected to CTS

      No error in logs.

      For comparison, extract of CTS log :

      Bind

      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":44692},"server":{"ip":"127.0.0.1","port":1389},"request":{"protocol":"LDAP","operation":"BIND","connId":5890,"msgId":1,"version":"3","dn":"uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens","authType":"SIMPLE"},"transactionId":"a9f8e874-580d-4766-aada-e1a06860e385-124732","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":311226,"elapsedTimeUnits":"NANOSECONDS"},"userId":"uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens","timestamp":"2018-10-24T08:39:42.982Z","_id":"a9f8e874-580d-4766-aada-e1a06860e385-124736"} 
      

       Search

      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":44692},"server":{"ip":"127.0.0.1","port":1389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":5890,"msgId":2,"dn":"ou=famrecords,ou=openam-session,ou=tokens","scope":"sub","filter":"(&(coreTokenType=NOTIFICATION)(objectClass=frCoreToken))","attrs":["coreTokenObject","dn"]},"transactionId":"a9f8e874-580d-4766-aada-e1a06860e385-124737","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":304582,"elapsedTimeUnits":"NANOSECONDS","nentries":0},"timestamp":"2018-10-24T08:39:42.999Z","_id":"a9f8e874-580d-4766-aada-e1a06860e385-124741"}
      

      How to reproduce

      run-pybot.py  -c functional -s proxy_group.WriteDistribution_CTSUseCase -n OpenDJ
      

      How to update AM to use PROXY or CTS

      http://MY_MACHINE:AM_HTTP_PORT/openam/XUI/#configure/server-defaults/cts

       

        Attachments

          Activity

            People

            • Assignee:
              cforel carole forel
              Reporter:
              guillaume.andru Guillaume Andru
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: