[OPENDJ-6039] AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM. Created: 28/Feb/19  Updated: 03/Mar/20  Resolved: 04/Mar/19

Status: Done
Project: OpenDJ
Component/s: setup
Affects Version/s: 6.5.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Ludovic Poitou Assignee: Ludovic Poitou
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
is backported by OPENDJ-6065 Backport OPENDJ-6039: AM Config Store... Done
caused OPENAM-14333 am-config profile is unable to upgrad... Closed
Story Points: 0.5
Backports: OPENDJ-6065 (6.5.1)


When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.

During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)


aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

Comment by Chris Ridd [ 28/Feb/19 ]

The change to the ACI will need to be noted in the AM release notes as a pre-upgrade step.

Comment by carole forel [ 06/Mar/19 ]

Lightly verified by checking:

  • Config store: admin can read operational attributes.
  • Identity store: admin can read, write aci, and do proxied operations.

still needs validation on am side.

Generated at Mon Jan 18 11:13:16 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.