November 20, 2018 at 4:09 pm #23919
I am following along in the OpenAM 13 install manual and trying to create the equality indexes to configure an external data store. However, I am getting the error message below. Any ideas why?
./dsconfig create-local-db-index –port 4444 –hostname opendj.example.com –bindDN “cn=Directory Manager” –bindPassword password –backend-name userRoot –index-name iplanet-am-user-federation-info-key –set index-type:equality –no-prompt
The Local DB Index could not be created because of the following reason:
* [LDAP: error code 53 – The Directory Server is unwilling to add
kend-id=userRoot,cn=Backends,cn=config because one of the add listeners
registered with the parent entry
cn=Index,ds-cfg-backend-id=userRoot,cn=Backends,cn=config rejected this
change with the message: The Local DB Index could not be decoded due to
the following reason: The string value
“iplanet-am-user-federation-info-key” is not a valid value for the
“attribute” property, which must have the following syntax: OID]November 20, 2018 at 4:50 pm #23920
Hi, did you follow step 11 to add the opendj_user_schema.ldif file?November 20, 2018 at 5:21 pm #23921
Not sure which step is step 11. I have run the openam-ds-admin-account.ldif:
ou: OpenAM Administrator
cn: OpenAM Administrator
and the add-acis-for-openam-admin-access.ldif:
aci: (targetattr=”* || aci”)(version 3.0;acl “Allow identity modification”;
allow (write)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)
aci: (targetattr!=”userPassword||authPassword”)(version 3.0;
acl “Allow identity search”; allow (search, read)(userdn = “ldap:///
aci: (targetcontrol=”2.16.840.1.113718.104.22.168″)(version 3.0;acl “Allow
persistent search”; allow (search, read)(userdn = “ldap:///
aci: (version 3.0;acl “Add or delete identities”; allow (add, delete)
(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)November 20, 2018 at 5:30 pm #23922
Hmmm…I am configuring for dynamic schema updates and the manual says, “Continue by configuring your external identity repository as an OpenAM data store as described in Section 1.4.3, “Configuring OpenAM Data Stores That Access External Identity Repositories”.” That said, I foiund the step 11 that you’re referring to — it’s in section 1.5.November 20, 2018 at 6:15 pm #23923LudoModerator
The error happens because the attribute is unknown to the Directory Server.
Either the AM specific schema was not added to the directory, or it’s been added by file and the server was not restarted.November 20, 2018 at 9:31 pm #23924
Restarting the directory server is not an option since its running in a Docker container; if
stop-dsis run, then that causes the container to exit. That seems to have a permanent effect on the container so that it does not start up again afterwards.November 21, 2018 at 12:15 pm #23929
If you have been running the setup to do dynamic schema updates then you could go in to the AM UI, go to datastores and configure the Directory Server as your user store, on this page there is a tickbox to load schema at the top of the page, make sure you tick this and then save the datastore.
Alternatively you could simply follow the manual updates which involve loading the schema updates through ldapmodify which won’t require a restart, however note that depending on the version of DJ you are running you may need to take it offline to verify the indexes, you should probably look in to why your container is not operating as expected, perhaps look at persistent volumes?November 21, 2018 at 12:42 pm #23930
Thanks, Rob. Just to be clear in order to load the schema when the data store is saved, I have to use the cn=Directory Manager account and not the cn=OpenAM Administrator account. And even after I load the schema, I am not able to connect to the external data store with the cn=OpenAM Administrator account. For some weird reason, I keep getting an invalid credentials error message. Does that mean that the OpenAM Administrator user does not exist in OpenDJ?
Also, what do you mean by this: “you should probably look in to why your container is not operating as expected”. Is it expected that you can shut down opendj and still have the container running?
Thanks again.November 21, 2018 at 1:01 pm #23931
You could do an ldapsearch on the DJ instance to try find the user, or use an ldap explorer such as ApacheDirectoryStudio, did you create it using the example ldif in the guide? If so and you want to use an ldapsearch then something like –
./ldapsearch –port 1389 –bindDN “cn=Directory Manager” –bindPassword password –baseDN dc=example,dc=com “(uid=openam)”
If you look in the opendj access logs (path/to/dj/logs/access) it should tell you why it cannot connect. You will need the full dn of the account so if it by the installation guide it should be “uid=openam,ou=admins,dc=example,dc=com”
Yes the docker image would go down however you should be able to configure it so you can restart the same instance again so no changes are lost, it’s not something I’ve played around with much but I believe you can configure persistent volumes to do this
You must be logged in to reply to this topic.