794428 – (JBEPP-1469) Deleting a group causes IdentityException with openldap

Bug 794428 (JBEPP-1469) - Deleting a group causes IdentityException with openldap

Summary: Deleting a group causes IdentityException with openldap

Keywords:
Status:	VERIFIED
Alias:	JBEPP-1469
Product:	JBoss Enterprise Portal Platform 5
Classification:	JBoss
Component:	Portal
Sub Component:
Version:	5.2.0.GA
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	5.2.1.ER02
Assignee:	Boleslaw Dawidowicz
QA Contact:
Docs Contact:
URL:	http://jira.jboss.org/jira/browse/JBE...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-04 09:29 UTC by Toshiya Kobayashi
Modified:	2019-01-01 03:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	If a nested IDM OpenLDAP child group was deleted from its parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.
Clone Of:
Environment:
Last Closed:	2012-02-29 21:24:06 UTC
Type:	Bug

Attachments	(Terms of Use)
add_group_01.png (119.19 KB, image/png) 2012-01-04 09:30 UTC, Toshiya Kobayashi	no flags	Details
add_group_02.png (115.33 KB, image/png) 2012-01-04 09:30 UTC, Toshiya Kobayashi	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEPP-1469	0	Major	Closed	Deleting a group causes IdentityException with openldap	2015-07-01 01:45:44 UTC

Description Toshiya Kobayashi 2012-01-04 09:29:23 UTC

Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000008zK0l&sfdc.override=1
project_key: JBEPP

Deleting a group causes IdentityException with openldap.

- Setup openldap for idm (http://community.jboss.org/wiki/GateInWithLDAPAsADefaultUserAndGroupStore)
- Login as root
- Go to 'Group Management'
- Add a new group "AAAA" under "Platform"
- Add a new group "BBBB" under "AAAA"
- Delete "BBBB"

{noformat}
18:04:16,922 INFO  [GroupDAOImpl] Identity operation error: 
org.picketlink.idm.common.exception.IdentityException: Identity object search failed.
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:886)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:1240)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:1125)
	at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.findIdentityObject(FallbackIdentityStoreRepository.java:967)
	at org.picketlink.idm.impl.api.session.managers.RelationshipManagerImpl.findAssociatedGroups(RelationshipManagerImpl.java:946)
	at org.picketlink.idm.impl.api.session.managers.RelationshipManagerImpl.findAssociatedGroups(RelationshipManagerImpl.java:1006)
	at org.exoplatform.services.organization.idm.GroupDAOImpl.findGroups(GroupDAOImpl.java:489)
	at org.exoplatform.organization.webui.component.UIGroupExplorer.changeGroup(UIGroupExplorer.java:123)
	at org.exoplatform.organization.webui.component.UIGroupManagement$DeleteGroupActionListener.execute(UIGroupManagement.java:160)
	at org.exoplatform.webui.event.Event.broadcast(Event.java:89)
	at org.exoplatform.webui.core.lifecycle.Lifecycle.processAction(Lifecycle.java:56)
	at org.exoplatform.webui.core.UIComponent.processAction(UIComponent.java:133)
...
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=BBBB,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
	at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:133)
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:128)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:854)
	... 142 more
18:04:17,007 ERROR [portal:UIPortalApplication] Error during the processAction phase
org.picketlink.idm.common.exception.IdentityException: Identity object search failed.
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:886)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.resolveRelationships(LDAPIdentityStoreImpl.java:1649)
	at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.getRelationshipsCount(LDAPIdentityStoreImpl.java:1570)
	at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.getRelationshipsCount(FallbackIdentityStoreRepository.java:1254)
	at org.picketlink.idm.impl.api.session.managers.RoleManagerImpl.getRolesCount(RoleManagerImpl.java:883)
	at org.exoplatform.services.organization.idm.IDMMembershipListAccess.getSize(IDMMembershipListAccess.java:173)
	at org.exoplatform.organization.webui.component.UIUserInGroup.setValues(UIUserInGroup.java:138)
	at org.exoplatform.organization.webui.component.UIGroupInfo.setGroup(UIGroupInfo.java:46)
	at org.exoplatform.organization.webui.component.UIGroupExplorer.changeGroup(UIGroupExplorer.java:141)
	at org.exoplatform.organization.webui.component.UIGroupManagement$DeleteGroupActionListener.execute(UIGroupManagement.java:160)
	at org.exoplatform.webui.event.Event.broadcast(Event.java:89)
	at org.exoplatform.webui.core.lifecycle.Lifecycle.processAction(Lifecycle.java:56)
	at org.exoplatform.webui.core.UIComponent.processAction(UIComponent.java:133)
...
{noformat}

The group explorer keeps throwing this exception until you remove the parent group('AAAA').

IDM seems to remove only a group but not a relationship??
I observe that the relationship remains in AAAA even though BBBB itself was removed.

{noformat}
dn: cn=AAAA,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com
objectClass: top
objectClass: groupOfNames
cn: AAAA
member: ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com
member: cn=BBBB,ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com
{noformat}

Comment 1 Toshiya Kobayashi 2012-01-04 09:30:24 UTC

Attachment: Added: add_group_01.png
Attachment: Added: add_group_02.png

Comment 2 Toshiya Kobayashi 2012-01-04 09:34:55 UTC

Link: Added: This issue incorporates GTNPORTAL-2320

Comment 3 hfnukal@redhat.com 2012-01-12 08:19:19 UTC

Labels: Added: EPP_5_2_1_Candidate

Comment 4 Thomas Heute 2012-01-13 15:25:47 UTC

Labels: Removed: EPP_5_2_1_Candidate

Comment 5 Boleslaw Dawidowicz 2012-02-29 20:24:40 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
CAUSE: In some cases group was delated without removing association to the parent group before. This was causing IdentityException and persisting error in the UI.

FIX: Code was adjusted to do better check if any group associations were removed before performing delate operation

Comment 7 Jared MORGAN 2012-03-23 03:48:17 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1 @@
-CAUSE: In some cases group was delated without removing association to the parent group before. This was causing IdentityException and persisting error in the UI.
+If a nested IDM OpenLDAP child group was deleted from it's parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.-
-FIX: Code was adjusted to do better check if any group associations were removed before performing delate operation

Comment 8 Jared MORGAN 2012-04-11 03:32:50 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-If a nested IDM OpenLDAP child group was deleted from it's parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.+If a nested IDM OpenLDAP child group was deleted from its parent, an IdentityException occurred because OpenLDAP IDM removed the child group but not the parent-child relationship. The fix improves the logic behind child group deletion to ensure group associations are removed prior to deleting a group.

Comment 9 Ali Hamdi 2012-11-13 17:10:51 UTC

Can anyone tell me where could I find the fix of this issue ?

Note You need to log in before you can comment on or make changes to this bug.