[OPENAM-13169]  group names having the same CN but different full Distinguished Name Path Created: 04/Jun/18  Updated: 08/Jun/18  Resolved: 08/Jun/18

Status: Closed
Project: OpenAM
Component/s: configurator
Affects Version/s: 13.5.1, 5.5.1
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Jobby Thomas Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

am/OpenAm versions: 5.5.1
OS type and bit: RedHat Linux 7.4
Ldap type and version: OpenDJ 5.5

Rank: 1|hzw2cn:
Support Ticket IDs:


When opening the subject / group / AppAdmin view (where AppAdmin is the group name), the flowing error pops out:

Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95"

business impact:

Unable to have groups that have the same name but different OUs. The application we are developing on OpenAM require this.



AM does not operate on LDAP entries but on identity subjects, although the UUID might look like a distinguished name. The 'IdRepo' API is extensible so other sources, like a noSQL database could be plugged in by writing a custom implementation of IdRepo.

The big question is how two different Directory Server entries, uniquely distinguished by their Distinguished Name, could be mapped to two different AM group identity subjects. What should be used to displayed in the console or be used for the UUID?

Comment by Peter Major [X] (Inactive) [ 04/Jun/18 ]

This is a known limitation of AM's current data store implementation, it is not a bug. Changing the current behavior would require extensive changes, and should be only considered as an RFE.

Generated at Tue Mar 02 20:31:33 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.