RESTful API – identity Creation in Realm Issue

[notoanonimo]

Hello everyone,
we’re trying to create LDAP users using OpenAM RESTful API. We’ve got two different realms, referring to two different “ou”.

Even if we specify the realm where the user is intended to be created, the user is always created on TOP REALM (“/”).

Is there anything wrong in the API invocation?

REQUEST:
POST http://forgerock:8080/openam/json/users/?_action=create HTTP/1.1
iplanetDirectoryPro: …
CONTENT-TYPE: application/json

{
“username”: “testT9”,
“userpassword”: “testtest”,
“mail”: “[email protected]”,
“givenname” :”Francesco”,
“realm”:”NOT_TOP_REALM”
}

ANSWER:
HTTP/1.1 200 OK

{“username”:”testT9″,“realm”:”/”,”uid”:[“testT9″],”mail”:[“[email protected]”],”sn”:[“testT9″],”userPassword”:[“{SSHA}bUP9WfJXEFwV5Qgl9JmedYzfCPIQz8lr00tQeA==”],”cn”:[“testT9″],”inetUserStatus”:[“Active”],”dn”:[“uid=testT9,ou=people,dc=example,dc=com”],”objectClass”:[“devicePrintProfilesContainer”,”person”,”sunIdentityServerLibertyPPService”,”inetorgperson”,”sunFederationManagerDataStore”,”iPlanetPreferences”,”iplanet-am-auth-configuration-service”,”organizationalperson”,”sunFMSAML2NameIdentifier”,”inetuser”,”forgerock-am-dashboard-service”,”iplanet-am-managed-person”,”iplanet-am-user-service”,”sunAMAuthAccountLockout”,”top”],”universalid”:[“id=testT9,ou=user,dc=example,dc=com”]}

[Victor Ake]

Hi,
Were your realms configured to use DataStores that point to different ou in the LDAP server?

[notoanonimo]

Yes, they are. TOP REALM (/) is associated with G1_DataStore (ou=G1). NOT TOP REALM is associated with G2_DataStore (ou=G2).

We need to create users in ou=G2 (NOT TOP REALM), but the API keeps creating them in ou=G1 (TOP REALM).

• This reply was modified 7 years, 4 months ago by notoanonimo.

[Peter Major]

Quite misleadingly the realm attribute value provided in the POST/PUT payload for the /json/users endpoint isn’t used for anything, hence it will not be used to determine where the user will be created.
If you want to create an identity in the subrealm, then you should include the realm in the URI for the resource:

/json/NOT_TOP_REALM/users/?_action=create

[Dhawal]

Hi,
As I know, in you POST statement, you should be specifying the realm name as below:

POST http://forgerock:8080/openam/json/REALM NAME/users/?_action=create HTTP/1.1

I have already tested the above and it works as following
"Content-Type: application/json" --data '{ "username": "dsingh", "userpassword": "secret12", "mail": "[email protected]" }' http://servername:port/OpenAM/json/<REALM NAME>/users/?_action=create

• This reply was modified 7 years, 4 months ago by Dhawal.

[Victor Ake]

I was about to post my findings.
Peter I guess that should be considered an issue, minor but an issue. Unless it is documented.

[Peter Major]

@Victor, the realm shouldn’t be part of the identity response in the first place, that is the bug, hopefully that will be resolved when IdentityResource gets rewritten.

[notoanonimo]

I seems to work specifying the realm in the URL. I’ll keep on testing and let you know if there are any other issues.

Thanks a lot. :)

[tvsnath]

Hi
I tried with OpenAM 10.1.0 express edition:

“Content-Type: application/json” –data ‘{ “username”: “dsingh”, “userpassword”: “secret12”, “mail”: “[email protected]” }’ http://servername:port/OpenAM/json/<REALM NAME>/users/?_action=create

getting the 404 error like

Resource ‘/<REALM NAME>/users/’ not found

any suggestion ?

-thanks
Venkata

[tvsnath]

Hi
I tried with OpenAM 10.1.0 express edition:

“Content-Type: application/json” –data ‘{ “username”: “dsingh”, “userpassword”: “secret12”, “mail”: “[email protected]” }’ http://servername:port/OpenAM/json/<REALM NAME>/users/?_action=create

getting the 404 error like

Resource ‘/<REALM NAME>/users/’ not found

any suggestion ?

-thanks
Venkata

[Peter Major]

Don’t use 10.1.0-Xpress as it’s EOSL for a long while now. Time to upgrade to 13.0.0.

[Author]

Posts