Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6039

AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 7.0.0
    • Component/s: setup
    • Labels:

      Description

      When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.

      During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

      A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

      aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
       allow (search, read, write, add, delete)
       (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
      

      With:

      aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
       allow (search, read, write, add, delete)
       (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ludo Ludovic Poitou
                Reporter:
                ludo Ludovic Poitou
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: