Tuesday, May 1, 2012

OpenAM Policy Agent 3.0.5 - weird naming service validation error

I was trying to resolve an issue with OpenAM Policy Agent for one of our customers. There seems to be a bug with PA 3.0.4 such that it could not set cookie on server request.

Apparently, PA 3.0.5 seems to resolve this bug. So I went ahead to download and install PA 3.0.5.

Every time I tried starting Apache, it will crash, logging the following error:

[Tue May 01 14:01:42 2012] [crit] Failed to initialize policy web agent
Configuration Failed

The amAgent debug log showed:

2012-05-01 14:01:42.168   Error 13395:152d1a0 all: URL [https://idp.azlabs.sg:8080/am/namingservice] validation failed with error [-1]

On OpenAM Server side, there was error in Authentication debug log:

amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
Exception : 
com.sun.identity.authentication.spi.AuthLoginException(2):Unknown LDAP exception.
com.sun.identity.authentication.modules.ldap.LDAPUtilException(3):User not found.
com.sun.identity.authentication.modules.ldap.LDAPUtilException: User not found.
at com.sun.identity.authentication.modules.ldap.LDAP.processLoginScreen(LDAP.java:823)
at com.sun.identity.authentication.modules.ldap.LDAP.process(LDAP.java:554)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:998)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1168)
at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)

Very strange... With the same OpenAM setup, there was no problem starting PA 3.0.4.

After much investigation, I realized it's the Authentication Module Instance that is causing the issue. In our default "ldapService" authentication chaining, we have changed to LDAP, instead of the default DataStore.

When I switched back to DataStore, the PA 3.0.5 started working!

2012-05-01 14:16:44.571      -1 13913:232b1a0 all: URL [https://idp.azlabs.sg:8080/am/namingservice] validation succeeded

There must be some code change to how the PA authenticates with OpenAM in version 3.0.5.

Updated on 23rd June 2012

There was indeed a bug with PA 3.0.5 back then. I have since raised a ticket and the issue was resolved. The nightly build should have resolved this issue.


No comments:

Post a Comment