When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.
During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.
A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:
aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations"; allow (search, read, write, add, delete) (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
With:
aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations"; allow (search, read, write, add, delete) (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)
- is a backport of
-
OPENDJ-6039 AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.
-
- Done
-