[OPENDJ-6065] Backport OPENDJ-6039: AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM. Created: 06/Mar/19  Updated: 08/Nov/19  Resolved: 06/Mar/19

Status: Done
Project: OpenDJ
Component/s: setup
Affects Version/s: 6.5.0
Fix Version/s: 6.5.1

Type: Bug Priority: Major
Reporter: Chris Ridd Assignee: Chris Ridd
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Backport
is a backport of OPENDJ-6039 AM Config Store Profile doesn't have ... Done
Story Points: 0.5
Dev Assignee: Chris Ridd

 Description   

When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.

During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

With:

aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)


 Comments   
Comment by Matthew Swift [ 07/Nov/19 ]

Moved to closed state because the fixVersion has already been released.

Generated at Mon Sep 21 14:56:56 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.