[OPENAM-14333] am-config profile is unable to upgrade in production mode Created: 28/Jan/19  Updated: 07/Mar/19  Resolved: 07/Mar/19

Status: Closed
Project: OpenAM
Component/s: upgrade
Affects Version/s:
Fix Version/s: None

Type: Bug Priority: Major
Reporter: William Hepler Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: EDISON, UPGRADE, configuration, profile
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

DS External Configuration Store

Attachments: Zip Archive debug.zip     Zip Archive djlogs.zip    
Issue Links:
is duplicated by OPENAM-14475 Upgrading from AM 6.5 to AM f... Closed
is caused by OPENDJ-6039 AM Config Store Profile doesn't have ... Done
is related to OPENAM-11398 OpenAM ACI installation instruction d... Closed
Sprint: AM Sustaining Sprint 59, AM Sustaining Sprint 60
Story Points: 5
Support Ticket IDs:


Bug description

When installing AM using the AM-Profile and using Production Mode subsequent upgrades will fail. 

The upgrade screen will grey out the upgrade button and the following error is reported:

ERROR: Unable to read directory schema, the schema won't be upgraded
No Results Returned: The entry ou=am-config does not include a subschemaSubentry attribute
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:246)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:143)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:112)
at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:70)
at org.forgerock.opendj.ldap.schema.SchemaBuilder.getSubschemaSubentryDn(SchemaBuilder.java:93)

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Configure a new DS server with am-config profile in production mode
  2. Configure AM to trust the Certificate, since AM will not allow tls connections from an untrusted connections
  3. Install and configure AM 6.5.0 to use this DJ as it's configuration store
  4. After install, test, then try to upgrade to
Expected behaviour
The upgrade would complete, am-config should have contained all aci/roles needed to upgrade a server
Current behaviour
upgrade will fail due to missing aci's 

Work around

Upgrade as Directory Manager or modify aci's


(Optional) If you installed AM using an external directory server as the configuration store, add an access control instruction (ACI) to the external directory to give the AM administrative user server-side sorting privileges.

The ACI should be similar to the following:
aci: (targetcontrol="1.2.840.113556.1.4.473")(version 3.0;
acl "Allow server-side sorting"; allow (read)
(userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com")

Code analysis

OPTIONAL - If you already investigated the code, please share your finding here (remove this text)


Comment by William Hepler [ 29/Jan/19 ]

Found this similar issue with productionmode.

Comment by Ludovic Poitou [ 28/Feb/19 ]

As someone outside of AM, I find the overall description very rich, but somehow confusing.
The issue I believe is that the AM-config user doesn't have read permission on operational attributes.
This can be fixed by updating the ACI that is at the top entry of the config-store,

aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)


aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

The fix in DS profile is to add that "||+" string in the base-entries.ldif file of the ds-config profile.

I've created https://bugster.forgerock.org/jira/browse/OPENDJ-6039 to track this in OpenDJ. Let me know if I missed anything else.

Note that the Transaction ID control is part of Global-ACI and thus doesn't need to be part of any specific profile.
The ACIs added by a profile should come in addition to ones already granted by default, and should be as part of the data (i.e. aci attribute on the top entry of the suffix) or global-aci under cn=config, tied to the profile specific administrator's userDN.

Comment by Ľubomír Mlích [ 07/Mar/19 ]

Reproduced with DS 6.5.0 and see as fixed with DS 6.5.1-RC3

Comment by Ľubomír Mlích [ 07/Mar/19 ]

fixed in OPENDJ-6039

Comment by Lawrence Yarham [ 07/Mar/19 ]

Have created OPENAM-14565 to handle robustness changes for AM to fail more gracefully in this scenario (AM does not have read permission for directory operational attributes) or to allow the upgrade to attempt to proceed.

Generated at Mon Sep 28 05:54:45 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.