Monday, April 27, 2015

OpenDJ Replication Architecture

The way OpenDJ replicates data from one node to the other is slightly different from Sun/Orace Directory Server. OpenDJ utilizes Replication Servers for data replication as shown below:




I was reading OpenDJ Mailing List the other day and came across a great response from Chris Ridd:

The key difference in OpenDJ is that replication is not configured between pairs of servers like it often is in other products.

Instead, OpenDJ logically consists of a number of replication servers that are “fully meshed”, i.e. every replication server is connected to every other replication server. The replication servers hold the changelogs, but no LDAP data. OpenDJ also has directory servers that hold LDAP data that connect to replication servers in order to send and receive changes.

(You can configure an OpenDJ server to be a pure directory server (a DS) or a pure replication server (an RS) or both at the same time (DS+RS). The setup tool will create all of these combinations for you.)

When you use “dsreplication enable”, you are effectively adding a new node (--host1) to the existing fully meshed topology (--host2 can be any host in the topology). As Jean-Noël mentioned, the replication servers exchange views of the topology, so when you add a new replication server to the topology, it automatically becomes connected to every other replication server in the topology.


Good read!

Tuesday, April 21, 2015

OAuth2 Provider - ERROR: The authorization server can not authorize the resource owner

I helped to configure a basic OAuth2 Provider for a customer in their SSO infrastructure. In fact, I configured in 2 environment for the same customer. The first was configured months ago and worked like a charm. The second one was recently configured and we encountered errors during integration test with a OAuth2 Client.




During the integration testing, we were very sure the users key in the user name and password correctly. But right after successful user authentication, we always got the error - "ERROR: The authorization server can not authorize the resource owner".


Why? Pretty hard to guess. So I switched the OpenAM debug log level from ERROR to MESSAGE.


Wow! The logs were many and each was huge and hard to debug. So I changed strategy. Besides setting the debug level to MESSAGE, I also ensured that the Merge Debug Files was switched to On.





Much better this time as the log was sequential and was telling a good story of what exactly happened that led to the error.


In OpenAM debug log, the following was shown right above the error message:
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] PolicyEvaluator.evaluate
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] search result: privilege=OAuth2ProviderPolicy
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] Privilege.doesSubjectMatch: falseEntitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] Advices: {}


The PolicyEval happened right before the error message - "ERROR: The authorization server can not authorize the resource owner" was thrown.



Somehow, the Subjects "OAuth2ProviderSubject" in OAuth2ProviderPolicy policy was missing. After adding it back, the error was gone.


.