October 4, 2016 at 8:33 am #13457
I am using OpenDJ as external datastore and getting this error for authentication via social login. I have defined my DN as dc=example,dc=com. But I am getting error suffix is not defined. Where shall I make the changes to solve this problem. Here is the error message:
amAuth:10/04/2016 11:29:49:913 AM IST: Thread[http-bio-8080-exec-13,5,main]: TransactionId[f42c314c-b1a0-43c0-ac35-c18c28ff9141-72]
ERROR: DefaultAccountMapper.getAccount: IRE
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo: Unable to find entry: The provided entry uid=facebook-11XXXXXXXXXXXX20,ou=people,dc=example,dc=com cannot be added because its suffix is not defined as one of the suffixes within the Directory Server
ManasviOctober 4, 2016 at 1:12 pm #13461
It “appears” that you have configured dynamic profile creation in OpenAM such that OpenAM will create an entry in OpenDJ after you have successfully logged in via social. That is fine, but OpenAM must be able to write to the path that you have configured for the profile configuration.
What is your actual DIT structure in OpenDJ? Do you have a container of ou=people directly beneath the suffix of dc=example,dc=com? Can you export the o=people container entry out and post it here?
What messages are contained in your OpenDJ access logs? If an attempt was made to write to OpenDJ (and failed), you will see error messages indicating why. Can you post those messages here?October 4, 2016 at 4:27 pm #13468
Thanks for replying.
As of now my database in OpenDJ is empty with base-dn=”dc=example,dc=com” and it doesn’t have any child nodes. When I was working on OpenAM 10, I didn’t get that error. Also, I don’t have much idea about how this works so can you please share any link where I can learn to add container beneath this.
Here is the log of OpenDJ:
[04/Oct/2016:18:36:09 +0530] SEARCH REQ conn=4 op=2589 msgID=2590 base=”ou=people,dc=example,dc=com” scope=sub filter=”(&(|(uid=facebook-11XXXXXXXXXXXX20))(&(uid=*)(objectclass=inetorgperson)))” attrs=”uid”
[04/Oct/2016:18:36:09 +0530] SEARCH RES conn=4 op=2589 msgID=2590 result=32 message=”The entry ou=people,dc=hdfc,dc=com specified as the search base does not exist in the Directory Server” nentries=0 etime=0
[04/Oct/2016:18:36:09 +0530] ADD REQ conn=4 op=2590 msgID=2591 dn=”uid=facebook-11XXXXXXXXXXXX20,ou=people,dc=example,dc=com”
[04/Oct/2016:18:36:09 +0530] ADD RES conn=4 op=2590 msgID=2591 result=32 message=”The provided entry uid=facebook-11XXXXXXXXXXXX20,ou=people,dc=example,dc=com cannot be added because its suffix is not defined as one of the suffixes within the Directory Server” etime=0
ThanksOctober 5, 2016 at 12:38 am #13470
Assuming that you have direct access to the server in which OpenDJ is installed, you can add OpenDJ entries using the ldapmodify command as follows:
/path/to/opendj/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password --defaultAdd --continueOnError --filename ./entries.ldif 1> stdout.fil 2> rejects.fil
Where the contents of the entries.ldif LDIF file would be:
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: People
Given the fact that you do not already have the ou=people container in place, I suspect that this is the issue you are facing. Create that container and then give it another shot. If it works, let us know. If not, then please post the new error messages in this window.
October 6, 2016 at 2:36 am #13487October 6, 2016 at 11:11 am #13503
- This reply was modified 5 years, 10 months ago by Bill Nelson.
@Bill the issue still persists. the suffix was created successfully, but still getting error suffix does not existsOctober 6, 2016 at 1:30 pm #13506
Please provide the corresponding OpenDJ and OpenAM log entries that capture this behavior.October 6, 2016 at 3:10 pm #13511
@Bill now that thing is working fine. I re-installed OpenDJ (because I wrote few commands to create an ou which might have caused some issues).
Thanks for your valuable time and your help.October 6, 2016 at 9:27 pm #13533
Fantastic! Glad it is working for you.
You must be logged in to reply to this topic.