Thursday, May 31, 2012


I was playing with OpenAM 10.0.0 and was trying to connect my OpenAM to our Active Directory using the Active Directory Authentication Module.

But, I kept getting "An internal authentication error has occurred" message.

So I went ahead to check amAuthentication.error ...

"2012-05-31 22:11:30" "Login Failed|module_instance|AZ-AD" cheechong "Not Available" INFO "cn=dsameuser,ou=DSAME Users," AUTHENTICATION-268 AZ-AD "Not Available"

What's that? A google linked me to Oracle's website. It's a "Module based authentication failed" error. I have mis-configured the hostname of my AD! :)

This error message codes are precious. I have converted the HTML page to a PDF here for safe-keeping. Just in case, no harm. :)


OpenAM 10.0.0 new look and feel

OpenAM 10 now has a new look and feel.

It's cool!

Monday, May 21, 2012

Role of a Software Architecture

I came across the following diagram while working on a tender. Pretty illustrative of what is expected from a Software Architecure. 


Tuesday, May 1, 2012

OpenAM Policy Agent 3.0.5 - weird naming service validation error

I was trying to resolve an issue with OpenAM Policy Agent for one of our customers. There seems to be a bug with PA 3.0.4 such that it could not set cookie on server request.

Apparently, PA 3.0.5 seems to resolve this bug. So I went ahead to download and install PA 3.0.5.

Every time I tried starting Apache, it will crash, logging the following error:

[Tue May 01 14:01:42 2012] [crit] Failed to initialize policy web agent
Configuration Failed

The amAgent debug log showed:

2012-05-01 14:01:42.168   Error 13395:152d1a0 all: URL [] validation failed with error [-1]

On OpenAM Server side, there was error in Authentication debug log:

amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
Exception : 
com.sun.identity.authentication.spi.AuthLoginException(2):Unknown LDAP exception.
com.sun.identity.authentication.modules.ldap.LDAPUtilException(3):User not found.
com.sun.identity.authentication.modules.ldap.LDAPUtilException: User not found.
at com.sun.identity.authentication.modules.ldap.LDAP.processLoginScreen(
at com.sun.identity.authentication.modules.ldap.LDAP.process(
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(
at com.sun.identity.authentication.spi.AMLoginModule.login(
at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)

Very strange... With the same OpenAM setup, there was no problem starting PA 3.0.4.

After much investigation, I realized it's the Authentication Module Instance that is causing the issue. In our default "ldapService" authentication chaining, we have changed to LDAP, instead of the default DataStore.

When I switched back to DataStore, the PA 3.0.5 started working!

2012-05-01 14:16:44.571      -1 13913:232b1a0 all: URL [] validation succeeded

There must be some code change to how the PA authenticates with OpenAM in version 3.0.5.

Updated on 23rd June 2012

There was indeed a bug with PA 3.0.5 back then. I have since raised a ticket and the issue was resolved. The nightly build should have resolved this issue.