[OPENAM-15244] AM configuration does not perform schema extension for identity store although it has the permissions Created: 18/Jul/19  Updated: 27/Aug/19  Resolved: 27/Aug/19

Status: Resolved
Project: OpenAM
Component/s: configurator, install
Affects Version/s: 6.5.0,, 6.5.1,, 6.5.2
Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Oracle JDK 1.8.0_201-b09
Apache Tomcat/9.0.8
AM 6.5.0/1

Target Version/s:
Sprint: AM Sustaining Sprint 65, AM Sustaining Sprint 66
Story Points: 2
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

User identity subjects can not be added via AM console.

How to reproduce the issue

  1. Setup DS 6.0.0 instance to be used as AM's external configuration data store and identity store.
  2. Add default 'people' container used by AM
  3. Configure AM 6.5.0 using amster, specifying external configuration data store and identity store
  4. After installation log into AM console
  5. Try to create an user identity subject
Expected behaviour
user identity subject should be created in the identity store
Current behaviour
error shows up in AM console

Work around

1) Apply manual schema extensions needed for AM, or

2) Ensure that the userStoreType param is included when running the install-openam amster command (as this will then result in the schema loading being performed).


It's not noted in the release notes that the functionality was removed.
AM does perform schema extensions for the external configuration data store ... this is inconsistent behavior. Either no configuration change is performed at all to any Directory Server and it's the duty of the Directory Server administrator to perform the action or AM does it.
AM can not rely on DS profiles are being used , even if FR DS is used as identity repository.

Comment by Lawrence Yarham [ 12/Aug/19 ]

The issue here is because the userStoreType parameter for the amster install-openam command (https://backstage.forgerock.com/docs/amster/6.5/user-guide/#sec-installam-reference).  As a result the processing assumes that no schema configuration is required and the resulting user store setup (in 6.5.2 and later) is named embedded (although it uses the provided host and port information).

This does look to be a change at some point after 5.5.1 as the install-openam command does perform the schema loading in 5.5.1 when the userStoreType parameter is not present.  It does not look to be specifically related to profiles within the DS.

Generated at Mon Nov 30 02:27:25 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.