Bug 794428 (JBEPP-1469)

Summary: Deleting a group causes IdentityException with openldap
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Toshiya Kobayashi <tkobayas>
Component: PortalAssignee: Nobody <nobody>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2.0.GACC: hamdi.ali.1982, theute
Target Milestone: ---Keywords: Reopened
Target Release: 5.2.1.ER02   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-1469
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
If a nested IDM OpenLDAP child group was deleted from its parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-02-10 03:15:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
add_group_01.png
none
add_group_02.png none

Description Toshiya Kobayashi 2012-01-04 09:29:23 UTC 
Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000008zK0l&sfdc.override=1
project_key: JBEPP

Deleting a group causes IdentityException with openldap.

- Setup openldap for idm (http://community.jboss.org/wiki/GateInWithLDAPAsADefaultUserAndGroupStore)
- Login as root
- Go to 'Group Management'
- Add a new group "AAAA" under "Platform"
- Add a new group "BBBB" under "AAAA"
- Delete "BBBB"

{noformat}
18:04:16,922 INFO  [GroupDAOImpl] Identity operation error: 
org.picketlink.idm.common.exception.IdentityException: Identity object search failed.
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:886)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:1240)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:1125)
	at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.findIdentityObject(FallbackIdentityStoreRepository.java:967)
	at org.picketlink.idm.impl.api.session.managers.RelationshipManagerImpl.findAssociatedGroups(RelationshipManagerImpl.java:946)
	at org.picketlink.idm.impl.api.session.managers.RelationshipManagerImpl.findAssociatedGroups(RelationshipManagerImpl.java:1006)
	at org.exoplatform.services.organization.idm.GroupDAOImpl.findGroups(GroupDAOImpl.java:489)
	at org.exoplatform.organization.webui.component.UIGroupExplorer.changeGroup(UIGroupExplorer.java:123)
	at org.exoplatform.organization.webui.component.UIGroupManagement$DeleteGroupActionListener.execute(UIGroupManagement.java:160)
	at org.exoplatform.webui.event.Event.broadcast(Event.java:89)
	at org.exoplatform.webui.core.lifecycle.Lifecycle.processAction(Lifecycle.java:56)
	at org.exoplatform.webui.core.UIComponent.processAction(UIComponent.java:133)
...
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=BBBB,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
	at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:133)
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:128)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:854)
	... 142 more
18:04:17,007 ERROR [portal:UIPortalApplication] Error during the processAction phase
org.picketlink.idm.common.exception.IdentityException: Identity object search failed.
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:886)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.resolveRelationships(LDAPIdentityStoreImpl.java:1649)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.getRelationshipsCount(LDAPIdentityStoreImpl.java:1570)
	at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.getRelationshipsCount(FallbackIdentityStoreRepository.java:1254)
	at org.picketlink.idm.impl.api.session.managers.RoleManagerImpl.getRolesCount(RoleManagerImpl.java:883)
	at org.exoplatform.services.organization.idm.IDMMembershipListAccess.getSize(IDMMembershipListAccess.java:173)
	at org.exoplatform.organization.webui.component.UIUserInGroup.setValues(UIUserInGroup.java:138)
	at org.exoplatform.organization.webui.component.UIGroupInfo.setGroup(UIGroupInfo.java:46)
	at org.exoplatform.organization.webui.component.UIGroupExplorer.changeGroup(UIGroupExplorer.java:141)
	at org.exoplatform.organization.webui.component.UIGroupManagement$DeleteGroupActionListener.execute(UIGroupManagement.java:160)
	at org.exoplatform.webui.event.Event.broadcast(Event.java:89)
	at org.exoplatform.webui.core.lifecycle.Lifecycle.processAction(Lifecycle.java:56)
	at org.exoplatform.webui.core.UIComponent.processAction(UIComponent.java:133)
...
{noformat}

The group explorer keeps throwing this exception until you remove the parent group('AAAA').

IDM seems to remove only a group but not a relationship??
I observe that the relationship remains in AAAA even though BBBB itself was removed.

{noformat}
dn: cn=AAAA,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com
objectClass: top
objectClass: groupOfNames
cn: AAAA
member: ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com
member: cn=BBBB,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com
{noformat}
Comment 1 Toshiya Kobayashi 2012-01-04 09:30:24 UTC 
Attachment: Added: add_group_01.png
Attachment: Added: add_group_02.png
Comment 2 Toshiya Kobayashi 2012-01-04 09:34:55 UTC 
Link: Added: This issue incorporates GTNPORTAL-2320
Comment 3 hfnukal@redhat.com 2012-01-12 08:19:19 UTC 
Labels: Added: EPP_5_2_1_Candidate
Comment 4 Thomas Heute 2012-01-13 15:25:47 UTC 
Labels: Removed: EPP_5_2_1_Candidate
Comment 5 Boleslaw Dawidowicz 2012-02-29 20:24:40 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
CAUSE: In some cases group was delated without removing association to the parent group before. This was causing IdentityException and persisting error in the UI.

FIX: Code was adjusted to do better check if any group associations were removed before performing delate operation
Comment 7 Jared MORGAN 2012-03-23 03:48:17 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1 @@
-CAUSE: In some cases group was delated without removing association to the parent group before. This was causing IdentityException and persisting error in the UI.
+If a nested IDM OpenLDAP child group was deleted from it's parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.-
-FIX: Code was adjusted to do better check if any group associations were removed before performing delate operation
Comment 8 Jared MORGAN 2012-04-11 03:32:50 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-If a nested IDM OpenLDAP child group was deleted from it's parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.+If a nested IDM OpenLDAP child group was deleted from its parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.
Comment 9 Ali Hamdi 2012-11-13 17:10:51 UTC 
Can anyone tell me where could I find the fix of this issue ?
Comment 14 Red Hat Bugzilla 2025-02-10 03:15:22 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.