Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6039

AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.

    XMLWordPrintable

    Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Fixed
    • 6.5.0
    • 7.0.0
    • setup

      Description

      When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.

      During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

      A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

      aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
       allow (search, read, write, add, delete)
       (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
      

      With:

      aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
       allow (search, read, write, add, delete)
       (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
      

        Attachments

          Issue Links

            Activity

              People

              ludo Ludovic Poitou
              ludo Ludovic Poitou
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: