Hide Forgot
project_key: JBEPP EPP is configured to use LDAP (OpenDS 2.2) when I try to create two users with usernames: 1. viliam 2. viLiam only the 1st one is created. after trying to save the 2nd one, I've got error with message "Unknown error" while in server.log there is: Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - The entry uid=viLiam,ou=People,o=portal,o=gatein,dc=example,dc=com cannot be added because an entry with that name already exists]; remaining name 'uid=viLiam' I think that the error message should be more specific (the error is known).
Release Notes Docs Status: Added: Documented as Known Issue Release Notes Text: Added: When the platform is configured to use LDAP, an "Unknown Error" occurs when a user attempts to create a user name that already exists with different case in the user name. The error message does not appropriately inform the user about the root cause of the issue.
Labels: Added: EPP_5_2_1_Candidate
Labels: Removed: EPP_5_2_1_Candidate
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: CAUSE: When you are creating new user/group, UI layer is trying to look if user/group with same name already exists. If it exists, it shows message in UI and it won't try to create such user/group. OpenDS is not case-sensitive by default, but Picketlink IDM is doing case-sensitive comparison of user/group names. So when you try to search user "viLiam" and you already have "viliam", Picketlink IDM will return that user doesn't exist as it compares with respect to case-sensitivity by default. But when it tries to create user "viLiam", then it is failing because OpenDS is not case-sensitive and user "viliam" is already here. FIX: It's possible to fix it by configure Picketlink IDM to compare user/group names in case-insensitive way. This can be done by switch option "allowNotCaseSensitiveSearch" of LDAPIdentityStore in picketlink-idm-config.xml file to true. RESULT: So it's still case-sensitive by default. But customers have possibility to use the option and switch it to true to avoid exception. For now, it's documented here https://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ in Q6/A6.
Note for testing: EPP 5.2.2 doesn't allow to use upper-case in username of new user. So if you want to test the issue, you also need to change regex pattern to avoid restrictions and allow any character. It can be done by add option: gatein.validators.username.regex=.* into file server/default/conf/gatein/configuration.properties
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -4,4 +4,4 @@ FIX: It's possible to fix it by configure Picketlink IDM to compare user/group names in case-insensitive way. This can be done by switch option "allowNotCaseSensitiveSearch" of LDAPIdentityStore in picketlink-idm-config.xml file to true. -RESULT: So it's still case-sensitive by default. But customers have possibility to use the option and switch it to true to avoid exception. For now, it's documented here https://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ in Q6/A6.+RESULT: So IDM is still case-sensitive by default. But customers have possibility to use the option and switch it to true to avoid exception. For now, it's documented here https://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ in Q6/A6.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,7 +1 @@ -CAUSE: When you are creating new user/group, UI layer is trying to look if user/group with same name already exists. If it exists, it shows message in UI and it won't try to create such user/group. +Picketlink IDM was performing case-sensitive comparison of user and group names with information stored in OpenDS. Because OpenDS does not record user and group names in a case-sensitive manner by default, cased user names such as "viLiam" were not distinguishable from the user name "viliam". This issue affected search retrieval, as well as user and group creation. The issue can be fixed by configuring Picketlink IDM to compare user and group names in a case-insensitive way. In picketlink-idm-config.xml, change the LDAPIdentityStore option "allowNotCaseSensitiveSearch" to true. Setting this option will prevent any Picketlink IDM exceptions relating to case insensitivity.- -OpenDS is not case-sensitive by default, but Picketlink IDM is doing case-sensitive comparison of user/group names. So when you try to search user "viLiam" and you already have "viliam", Picketlink IDM will return that user doesn't exist as it compares with respect to case-sensitivity by default. But when it tries to create user "viLiam", then it is failing because OpenDS is not case-sensitive and user "viliam" is already here. - -FIX: It's possible to fix it by configure Picketlink IDM to compare user/group names in case-insensitive way. This can be done by switch option "allowNotCaseSensitiveSearch" of LDAPIdentityStore in picketlink-idm-config.xml file to true. - -RESULT: So IDM is still case-sensitive by default. But customers have possibility to use the option and switch it to true to avoid exception. For now, it's documented here https://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ in Q6/A6.
Verified again at 5.2.2 CR01