[OPENDJ-6065] Backport OPENDJ-6039: AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM. - ForgeRock JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: Major
Resolution: Fixed
Affects Version/s: 6.5.0
Fix Version/s: 6.5.1
Component/s: setup
Labels:
None

Story Points:
0.5
Releases:

$i18n.getText("admin.common.words.hide")

Version Release date Issue

6.5.1 🏢 2019-04-08 OPENDJ-6065

$i18n.getText("admin.common.words.show")
Version Release date Issue 6.5.1 🏢 2019-04-08 OPENDJ-6065

Description

When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See ~~OPENAM-14333~~.

During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

With:

aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

Attachments

Issue Links

is a backport of

OPENDJ-6039 AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM.

Done

Activity

People

Assignee:: Chris Ridd

Reporter:: Chris Ridd

Dev Assignee:: Chris Ridd

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2019-03-06 1:40 PM

Updated:: 2019-11-08 12:09 AM

Resolved:: 2019-03-06 2:59 PM