[OPENAM-2348] set-realm-svc-attrs: "Not a supported type: realm" Created: 03/Apr/13  Updated: 20/Nov/16  Resolved: 21/Jan/15

Status: Resolved
Project: OpenAM
Component/s: CLI
Affects Version/s: 10.0.1, 10.1.0-Xpress, 11.0.0, 11.0.1, 11.0.2, 12.0.0
Fix Version/s: 10.0.3, 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: anilm2 [X] (Inactive) Assignee: gabor.hollosi
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS 6.4 x64, CentOS 5.8 x64


Support Ticket IDs:

 Description   

Attempting to change several Realm specific "Authentication" tab settings. These can be set successfully via the admin GUI console, but we are trying to make a cmdline installer limiting user input.

We cannot set Default Login Page for the realm, nor can we modify the login failure parameters for realm.

For example:
./ssoadm set-realm-svc-attrs \
-u amAdmin -f ./adminPassword.txt \
-s iPlanetAMAuthService \
--realm REALM \
-a iplanet-am-auth-login-failure-count=3

results in the error: Not a supported type: realm

using the "set-attr-defs" I believe I have set the value for the root realm, but there is no way, in that command, to modify the value for my sub-realm.

possible separate issues, but other things I tried:
attempted to build XML and use update-svc, but documentation is lacking on format of XML. Got something to import using export-svc-cfg output, but updating iPlanetAMAuthService was not allowed.

attempted to use full export/import:
got error about sunIdentityRepositoryService not existing. [did not see this error before creating Realms].

if i manually moved the <Service> line for the sunIdentityRepositoryService higher in the file (before first reference), the import would appear to work every other time (get error 1st time, not get error second time ... didn't test server too much after confirming odd behaviour).



 Comments   
Comment by Peter Major [X] (Inactive) [ 03/Apr/13 ]
  • I guess in your data store settings you don't have supported idtype for realm with supported operations and that's why you get this rather cryptic error.
  • You should not try to use update-svc to update a given setting (especially if it's a non-global setting -> organization/realm level).
Comment by anilm2 [X] (Inactive) [ 08/Apr/13 ]

I was just attempting update-svc because the specific realm command would not work. It was my not my first choice fcr this data import.

What do you mean about not having a supported idtype for the realm? Is this the same as the realm's unique name? The realm is created via "ssoadm create-realm" and the e/-realm option works on many other commands such as set-realm-atts, update-datastore, update-auth-instance

Comment by anilm2 [X] (Inactive) [ 08/Apr/13 ]

Still not 100% sure why datastore settings would effect the ability to Authenticate/Core Authentication for the realm.

Looking at the realm datastore file that I import during install, I see this:

sunIdRepoSupportedOperations=realm=read,create,edit,delete,service
sunIdRepoSupportedOperations=user=read,create,edit,delete,service
sunIdRepoSupportedOperations=group=read,create,edit,delete

Comment by anilm2 [X] (Inactive) [ 17/Apr/13 ]

I think the issue is either with how I am using "ssoadm" or with how "ssoadm" creates things for the realm.

When I configure the SSO and create the realm and alter the realm settings (datastore, auth modules) within the GUI, the ssoadm set-realm-attr command works.

Comment by anilm2 [X] (Inactive) [ 17/Apr/13 ]

I think I found my issue.
To add my REALM-DOMAIN to the global advanced server configurations, I am doing a

full export

./ssoadm export-svc-cfg \
-e ${OPENAM_ENCRYPTION_KEY} \
-u amAdmin -f ./adminPassword.txt -o ${CONFIGDUMP}

then manually finding the advanced configuration and adding my FQDN,

then re-importing to full configuration.

If I remove this step from my installation scripts, I can use ssoadm to alter the realm.
So, I think there is something that happens in full import/export that is causing this?

Additionally, after the realm is created, if i do this export->alter->import I still am getting the sunIdentityRepositoryService error message.

cmds I'm using to create the realm:

echo "create-realm \
-e $REALM \
-u amAdmin -f ./adminPassword.txt " >> batch.cmd

echo "set-realm-attrs \
-e $REALM \
-s sunIdentityRepositoryService \
-a sunOrganizationAliases=$REALM-DOMAIN \
-u amAdmin -f ./adminPassword.txt " >> batch.cmd

Comment by anilm2 [X] (Inactive) [ 17/Apr/13 ]

found ssoadm update-server-cfg method of adding REALM-DOMAIN binding without import/Alter/export (... tried and failed to do this when I initially wrote the installer for 10.0.0) So, I think I have fixed my personal issue with this.

However, There really does seem to be something wrong with export-svc-cfg/import-svc-cfg.

So, may be able to mark this issue as Invalid.
But, may also want to open a new issue for import/export failures?

edit: typos

Comment by Richard Yuan [X] (Inactive) [ 03/Feb/15 ]

I had the same issue (Not a supported type: realm). It was fixed by running this command:

ssoadm create-sub-cfg -u amadmin -f pass -s sunIdentityRepositoryService -g realm -b SupportedIdentities -D attrs.txt

Where attrs.txt is an empty file as my "Realm" object doesn't contain any attributes.

Comment by Peter Trischberger [X] (Inactive) [ 24/Apr/15 ]

Thanks to Richard for your command.
I was running your command and my issue with "Not a supported type: realm." went away
My failing ssoadm command was: " ./ssoadm get-realm-svc-attrs ...."
Not that I understood what I did when I was running your command.

Generated at Sat Oct 31 01:25:50 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.