Wednesday, July 27, 2011

Permission to perform the edit operation denied


In one of the OpenSSO projects I'm currently in, we have customized attributes defined in Sun DSEE 7. These attributes extend from inetorgperson.

In the Post Authentication Processing module, we would want to update one of the attributes if a certain condition is met. 

So I have the following code segment:

AMIdentity amIdentity = new AMIdentity(ssoToken);
:
Map attrs = new HashMap();
Set values = new HashSet(1);
values.add (valueToSet);
attrs.put (SUNLDAPUser.ATTRIBUTE_MUSTCHGPWD, values);
amIdentity.setAttributes(attrs);
amIdentity.store();

Looks good! But when we run it, we encountered the following error:
"Permission to perform the edit operation denied ..."



Strange! Why?

After much investigation, I then realized we need to loosen the policy in the embedded OpenDS store.

There is a xmlpolicy attribute in ou=SelfWriteAttributes,ou=Policies,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,o=sunamhiddenrealmdelegationservicepermissions,ou=services,....


So, the trick is to add the attribute that we want to modify into the UserSelfCheckCondition.


Restart OpenSSO. Test. Done.


.

Monday, July 4, 2011

Incompatible Sun Message Queue Version

I have been trying to scale a old Sun Access Manager deployment from 2 nodes to 4 nodes.



In trying to yield better performance, I made some minor upgrade to each dependent components. I knew that Sun Message Queue 4.x has better performance than the old 3.6 version.

So, I made a weird decision to deploy a hybrid of Sun Message Queues - 3.6 mixed with 4.4.

No good. You'll see this error in the MQ log during startup of AM SFO:

[29/Jun/2011:14:21:36 SGT] ERROR [B3098]: Configuration mismatch: Aborting connection with broker [ mq://10.10.10.15:7878/?instName=imqbroker&brokerSessionUID=null ] because following configuration properties do not match -
imq.queue.deliverypolicy=round-robin,single


[29/Jun/2011:14:21:36 SGT] ERROR [B3098]: Configuration mismatch: Aborting connection with broker [ mq://10.10.10.16:7878/?instName=imqbroker&brokerSessionUID=null ] because following configuration properties do not match -
imq.queue.deliverypolicy=round-robin,single


Update on 27th Jul 2011:


I realized hybrid deployment of Sun MQ works! In fact, the new deployment of different version of MQ has been running LIVE for a few weeks without any problem. (will continue to monitor though ...)

.