Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    One difference I can see is that some ports are listening on the old (working) server, but not the new, for instance: 4444 (admin port), 50389 (ldap port) and jmx port (1689), but I don't understand why
    holgrs
    @holgrs
    If OpenAM doesn't find its configuration it cannot know about the ports you mentioned
    Make sure you have .openamcfg in the homedirectory of the app server user
    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    I do have that directory in /home/tomcat, which is the home of the user (tomcat) that owns the tomcat process. That directory, and the file in it, have the same permissions and ownership as the working server.
    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    Anything else I should look for? more logging I should look for/ turn on?
    holgrs
    @holgrs
    Please check the name of the file in .openamcfg. It must match the deployment path. The content itself must match the OpenAM configuration directory.
    capmatch
    @capmatch

    we now have a Forgerock serve as a IDP provider. We would like to have a IDP proxy between the IDP and SP (which we may have more customization). I tried to search on the web and most of the case

    https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario
    https://backstage.forgerock.com/knowledge/kb/article/a14745791

    they are expecting they are using same technology (e.g. openam). But my case is that i would like to use openAM as proxy and Forgerock as IDP. is it possible or it is independent on the technology?

    holgrs
    @holgrs
    In general IDP proxy should work with any SAML IDP and SP as long as you do not rely on the SAML spec like scoping in AuthnRequests (ProxyCount, IDPList ...) as most SAML implementations do not implement this part of the core spec. With OpenAM and Forgerock AM it should work but there are still many open bugs and pitfalls for this scenario. We deployed several IDP proxy setups with different IDP implementations but they mostly neither use scoping nor SLO profiles and still may need some tweaking. Sorry for not providing a more definitive answer for you.
    capmatch
    @capmatch
    @holgrs -> So can i say that it is not an easy/straight forward way for my requirement? And also i need to understand the risk that maybe in the future there will be new bug between the integration of OpenAM and Forgerock since they may consider as different product
    holgrs
    @holgrs
    @capmatch I would say it depends on your requirements. If you have simple use cases then it may work ootb. In fact IDP Proxy architecture has many advantages. The bugs are mainly related to active-active multi-instance OpenAM installations not to the integration between OpenAM and FR AM.
    capmatch
    @capmatch
    @holgrs -> i try to put the requirement into a diagram.
    https://www.draw.io?lightbox=1&highlight=0000ff&edit=_blank&layers=1&nav=1&title=IDP.drawio#R7Vpbb5swFP41kbaHVmAuCY%2B5tF2ltc2USeueKhbcxCrB1DgN2a%2BfiQ0Bm6hplmCq9qXFx%2Fax%2FZ2Pc3HoWMNFekX8eH6DAxh2gBGkHWvUAQAYdo%2F9yyRrLvEMmwtmBAVcZG4FE%2FQXCqEhpEsUwKQykGIcUhRXhVMcRXBKKzKfELyqDnvEYXXV2J9BRTCZ%2BqEq%2FYUCOufSnmNs5d8gms3zlU1D9Cz8fLAQJHM%2FwKuSyLroWEOCMeVPi3QIwwy8HBc%2B73JHb7ExAiO6z4Qn%2F0f6J766%2FTvwTDrw6EP3gZy5XMuLHy7FgcVm6TpHgOBlFMBMidGxBqs5onAS%2B9Osd8VszmRzughZy2SPQh0kFKY792kWp2e0gXgBKVmzIWKCK%2FAqCMObqy36do7%2BvIx8PtAXFp8VmregsAeByxswshWM%2BnHMBH3tUJlmFauiXQKr56lYWaeCylGgonNEAn4omu38ejRmf79cYjKDBE%2BfvmoH0XUkEG1HAdEENYxzT4Vit%2BaldEO26uARszOV0XKflzjvOEs23pPR0jB7cbrtZE%2Bz7P%2FdkrA%2BGL0ggqNFBo9Qy3bJNfNxikkYuLSKe0IJfoJDHGLCJBGOYLYJFIaSyA%2FRLGLNKVsNMvkgMxVi7rUvOhYoCLJlag1dpcIRbA1ss%2BpcVFODOlODU5na2%2BFbVBto9y2uZt%2BS70fBatg6rIBuP2yaClaT%2Fs13JgHnhgIXjIJ%2Blipl72noJwmabt5w5rFVcQk4Bg5Z35cbvzPEz528OUqFBXhrnbdSRO9Lz3wWcERzOytr5JP4pmGgZGuSjdjB8JJM4etBip1vBulrcV%2B1ecmmdXlILiMw9Cl6qW63ztBihTFGG99enwVZjkQVfkoxqZz1SXpkalqGpIjDoCja0K449X8wEShMvBtf3F6P2snC1pHQ00pCW4oB3QNZCAyvqshymmWh9e78Ybd1VDSNjk4uOtXUzbIlCu3NRSB5RLNhj6jWk9oTGCna2IaavzRcdJtqKdnWqtsGurM99RbnLoZR%2F4bJxgSna%2B2QWVIgsV1wrpZeXg3D5Lf8eKB9VtlNVdm2obvMNns7vEn76my7q9ub7LqTaF%2Bd7ej2vPn67yivbK7OzsPS64mlU291LZW2K1%2FrHlppuw3nlUC98%2FmstN9Ew55WGsopUu9ItbYtp1Cn5qF649N2n9hcrb0%2FGfVe%2FEjFtuscqdh25RTv1GRUL36Ok%2BUPl4R8xNy%2B%2BHV0XSWcttQe1F2nHMPCP%2Fkr%2BtENbNX87tewhdXrjff3VYHt6P6qAKgXHgQmMY4SyPQR%2BLyECW1nfG4sPIO9w7OrMzw7niXligeGZ1u%2BqZEVHRyeM0oVn7bx4dsPBK2Lfw%3D%3D
    @holgrs -> do you think it is a "normal" use case? Or you have any other configuration reference for me?
    capmatch
    @capmatch
    @holgrs some additional question
    1. in most of the IDP proxy example, i find that the SP also need to install openAM. But in my current case, my app (ElasticStack with SAML) don't need to install any openam as SP. may i know the reason?
    2. In the documentation, i find that SP, IDP and IDP proxy need to share the same COT (circle of trust). Since we would like make the implementation don't have any impact to third party IDP (ForgeRock), is it a must for us to get the COT from them? Currently we don't need to have any COT configuration at our side
    holgrs
    @holgrs
    @capmatch The IDP Proxy in OpenAM/FR I was talking of is mainly a SAML concept. Your diagram is a more general Hub setup with SAML and OIDC. It should work but you might look into the details, if you look into protocol translation and/or single logout.
    For a scenarion SP - IDP Proxy - IDP, you don't need OpenAM as SP, any SAML service provider will work. If you don't use specific protocol details (like the mentioned scoping) you can even use other SAML capabable proxies.
    holgrs
    @holgrs
    CoTs are a configuration option to group different SAML SPs, IDPs together. Only members of a CoT trust and can do SSO with each other. In the IDP proxy you would create a CoT for the SPs, the IDP Proxy and the IDP. The external IDP (FR) does not need to know about this. No impact at all.
    capmatch
    @capmatch

    @holgrs Hello, thx for your advice. based on that i tried to setup the SP, IDPproxy and IDP with this confluence page
    https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario

    it is working fine. But i have two questions

    1. i found that the SSO is working fine with SP, IDPproxy and IDP. But i cannot get any SAMLresponse from network (using browser developer tool and capture the network)
    2. I would like to add attribute in SAMLResponse. in SP, IDPproxy case. it is working fine (just add the in "Attribute Map"). How about SP, IDPproxy and IDP? Do i need to config it in IDPproxy as well? since i don't store in data in SP , IDPproxy . i just set the "Transient User
      " as anonymous.
    holgrs
    @holgrs
    @capmatch You should see the SAML response in the browser although then content depends on the SAML profile that you use (remember that for artifact profile the SAML assertion is sent via server-to-server and not via browser) . For 2. Not sure I got your scenario, but yes you can have attributes in both connections. Your can relay the attributes that come in from the IDP via the IDPProxy to the SP.
    capmatch
    @capmatch

    @holgrs
    Thx for the advice. Eventually i made it. The SP may retrieved the SAML Response and the it contain attribute. But i found that the group related information cannot retrieve. (even in IDP and IDPproxy). I have added the group with user in IDP am embedded opends. I tried to use the control panel to create group and linked to user. But i cannot make it even i using "isMemberOf" "memberOf","uniqueMember" and "member" in Attribute mapping.

    i try to put the ldap info here

    Member related

    dn: cn=cap,ou=people,dc=openam,dc=openidentityplatform,dc=org
    objectClass: sunFMSAML2NameIdentifier
    objectClass: top
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    mail: capcap@capcap.com
    sn: cap
    cn: cap
    sun-fm-saml2-nameid-infokey: http://idp.example.org:8083/openamIDP|http://sp.example.net:8082/openamSP|DJZELvZaxEniXZqKnPopOC6hW3jC
    givenName: cap
    userPassword: df
    uid: 123456
    sun-fm-saml2-nameid-info: http://idp.example.org:8083/openamIDP|http://sp.example.net:8082/openamSP|DJZELvZaxEniXZqKnPopOC6hW3jC|http://idp.example.org:8083/openamIDP|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|null|http://sp.example.net:8082/openamSP|IDPRole|false
    creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
    modifyTimestamp: 20220215132436Z
    modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
    entryUUID: 608d9304-0180-4262-b0bb-e642be60193a
    createTimestamp: 20220214142605Z
    pwdChangedTime: 20220214142605.193Z

    Group info

    dn: cn=testing,ou=groups,dc=openam,dc=openidentityplatform,dc=org
    objectClass: top
    objectClass: groupOfNames
    cn: testing
    member: cn=cap,ou=people,dc=openam,dc=openidentityplatform,dc=org
    member: cn=fish,ou=people,dc=openam,dc=openidentityplatform,dc=org
    description: testing group
    createTimestamp: 20220215131429Z
    creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
    modifyTimestamp: 20220217152443Z
    modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
    entryUUID: 3d2c29ae-a7e9-4141-be58-f19eb3d7c38e
    
    dn: cn=testinggroup,ou=groups,dc=openam,dc=openidentityplatform,dc=org
    objectClass: groupOfUniqueNames
    objectClass: top
    uniqueMember: cn=cap,ou=people,dc=openam,dc=openidentityplatform,dc=org
    uniqueMember: cn=fish,ou=people,dc=openam,dc=openidentityplatform,dc=org
    cn: testinggroup
    createTimestamp: 20220215133957Z
    creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
    modifyTimestamp: 20220217152557Z
    modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
    entryUUID: 19ee18c8-e9f8-40c9-b6e8-525ac77f1b17

    OpenAM embedded OpenDS
    i also try to run the ldapsearch in command prompt. But very interesting it return nothing

    Do you think that it is openam question or opendj?

    ldapsearch.bat --port 50389 --baseDN dc=openam,dc=openidentityplatform,dc=org "(cn=*c*)" uid
    capmatch
    @capmatch
    in addition, i have checked the dsconfig and the ismemberof is here
    Virtual Attribute               : Type                            : enabled : attribute-type
    --------------------------------:---------------------------------:---------:--------------------------------
    Collective Attribute Subentries : collective-attribute-subentries : true    : collectiveAttributeSubentries
    entryDN                         : entry-dn                        : true    : entryDN
    entryUUID                       : entry-uuid                      : true    : entryUUID
    etag                            : entity-tag                      : true    : etag
    governingStructureRule          : governing-structure-rule        : true    : governingStructureRule
    hasSubordinates                 : has-subordinates                : true    : hasSubordinates
    isMemberOf                      : is-member-of                    : true    : isMemberOf
    numSubordinates                 : num-subordinates                : true    : numSubordinates
    Password Expiration Time        : password-expiration-time        : true    : ds-pwp-password-expiration-time
    Password Policy Subentry        : password-policy-subentry        : true    : pwdPolicySubentry
    structuralObjectClass           : structural-object-class         : true    : structuralObjectClass
    subschemaSubentry               : subschema-subentry              : true    : subschemaSubentry
    Virtual Static member           : member                          : true    : member
    Virtual Static uniqueMember     : member                          : true    : uniqueMember
    holgrs
    @holgrs
    @capmatch Try to use a root dn bind in the search request above and check if the search returns anything.
    capmatch
    @capmatch

    In general IDP proxy should work with any SAML IDP and SP as long as you do not rely on the SAML spec like scoping in AuthnRequests (ProxyCount, IDPList ...) as most SAML implementations do not implement this part of the core spec. With OpenAM and Forgerock AM it should work but there are still many open bugs and pitfalls for this scenario. We deployed several IDP proxy setups with different IDP implementations but they mostly neither use scoping nor SLO profiles and still may need some tweaking. Sorry for not providing a more definitive answer for you.

    i just using this example and it seems that this will use the scoping with proxy count in SP authn request. So when i replace the SP from openam to elasticsearch. I find my setup is not correct since ELK don't have any attribute to set about the scoping and proxy count. i have also raise an question in forum. It seems that it is not support yet

    https://discuss.elastic.co/t/saml-authentication-request-scoping-using-idp-proxy/297932

    as is it possible you share some of the "tweaking" that you try before. should be some of configuration on IDP proxy side right? Also i would like to keep the IDP proxy as transient and don't need any login process in IDPproxy.

    holgrs
    @holgrs
    @capmatch You may try setting the remote SP to "always Proxy" at the IDP Proxy.
    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    Hello, I had no luck getting OpenAM 12 that was working on an older version of RH to work on a new version of RH. For now, we ended up using another machine to handle TLS with httpd and forward traffic over AJP to the working copy of Tomcat + OpenAM on an older machine (older version of RH/Java/Tomcat). This is all for development, so this is okay for now.
    However, I was able to export the config as XML. Suppose I set up a newer version of OpenAM. Is there a best practice for importing that config into the latest version of OpenAM?
    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    Also, I'm trying to install locally on a Mac. I set up version 9 on a mac, gave it a DNS entry for a hostname, and can navigate to hostname:8080/openam and do a default config and it finishes. Then login works.
    I try to set up admin tools:
    Do you accept the license? yes
    Path to config files of OpenAM server [/Users/sleblanc/openam]:
    Debug Directory [/Users/sleblanc/Downloads/SSOAdminTools-14.6.4/debug]:
    Log Directory [/Users/sleblanc/Downloads/SSOAdminTools-14.6.4/log]:
    amSecurity:02/25/2022 11:02:50:421 AM MST: Thread[main,5,main]: TransactionId[unknown]
    ERROR: created internalAppSSOToken:aVpVelNVSkMybXFNUFhacndLZ0d4UT09MTY0NTgxMjE2NTQxNg==, authInitialized: false, SystemProperties.isServerMode(): false, SystemProperties.get(AMADMIN_MODE): true
    The scripts are properly setup under directory: /Users/sleblanc/Downloads/SSOAdminTools-14.6.4/openam
    Debug directory is /Users/sleblanc/Downloads/SSOAdminTools-14.6.4/debug.
    Log directory is /Users/sleblanc/Downloads/SSOAdminTools-14.6.4/log.
    The version of this tools.zip is: OpenAM 14.6.4
    The version of your server instance is: OpenAM 14.6.4 Build 55b85d9041 (2021-July-28 09:18)
    the scripts are then installed, but trying to do an import fails with similar error

    ./ssoadm import-svc-cfg -u amAdmin -f ~/pwd -e secret -X ~/export-openam-config

    amSecurity:02/25/2022 11:06:56:622 AM MST: Thread[main,5,main]: TransactionId[unknown]
    ERROR: created internalAppSSOToken:UW9oRnlMbWpBR1FMbTViZXdLZ0d4UT09MTY0NTgxMjQxMTYwOQ==, authInitialized: false, SystemProperties.isServerMode(): false, SystemProperties.get(AMADMIN_MODE): true
    Directory Service contains existing data. Do you want to delete it? [y|N] y
    Please wait while we import the service configuration...
    Unexpected LDAP exception occurred.

    seanleblancaticdtech
    @seanleblancaticdtech:matrix.org
    [m]
    After turning on -v and -d flags for the ssoadm step, I see this:
    amSMS:02/25/2022 02:16:47:553 PM MST: Thread[main,5,main]: TransactionId[unknown]
    ERROR: ServiceSchemaImpl.serverEndAttrValidation
    java.lang.ClassNotFoundException: org.forgerock.openam.authentication.modules.scripted.ScriptValidator
            at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
            at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
            at java.lang.Class.forName0(Native Method)
            at java.lang.Class.forName(Class.java:264)
            at com.sun.identity.sm.ServiceSchemaImpl.serverEndAttrValidation(ServiceSchemaImpl.java:688)
            at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:650)
            at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:597)
            at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:345)
            at com.sun.identity.sm.ServiceSchemaImpl.validateDefaults(ServiceSchemaImpl.java:360)
            at com.sun.identity.sm.ServiceManager.validateServiceSchema(ServiceManager.java:1188)
            at com.sun.identity.sm.ServiceManager.registerServices(ServiceManager.java:446)
            at com.sun.identity.cli.schema.ImportServiceConfiguration.importData(ImportServiceConfiguration.java:275)
            at com.sun.identity.cli.schema.ImportServiceConfiguration.handleRequest(ImportServiceConfiguration.java:145)
            at com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
            at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
            at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
            at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:581)
            at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:178)
            at com.sun.identity.cli.CommandManager.main(CommandManager.java:155)
    
    amSMSClient:02/25/2022 02:16:47:556 PM MST: Thread[main,5,main]: TransactionId[unknown]
    ERROR: SMSJAXRPCObjectvalidateServiceAttributes
    java.lang.NullPointerException
            at com.sun.identity.sm.jaxrpc.SMSJAXRPCObject.validateServiceAttributes(SMSJAXRPCObject.java:491)
            at com.sun.identity.sm.RemoteServiceAttributeValidator.validate(RemoteServiceAttributeValidator.java:59)
            at com.sun.identity.sm.ServiceSchemaImpl.clientEndAttrValidation(ServiceSchemaImpl.java:672)
            at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:653)
            at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:597)
            at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:345)
            at com.sun.identity.sm.ServiceSchemaImpl.validateDefaults(ServiceSchemaImpl.java:360)
            at com.sun.identity.sm.ServiceManager.validateServiceSchema(ServiceManager.java:1188)
            at com.sun.identity.sm.ServiceManager.registerServices(ServiceManager.java:446)
            at com.sun.identity.cli.schema.ImportServiceConfiguration.importData(ImportServiceConfiguration.java:275)
            at com.sun.identity.cli.schema.ImportServiceConfiguration.handleRequest(ImportServiceConfiguration.java:145)
            at com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
            at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
            at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
            at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:581)
            at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:178)
            at com.sun.identity.cli.CommandManager.main(CommandManager.java:155)
    capmatch
    @capmatch
    @holgrs -> eventually I figure the "missing isMemberOf" issue. I need to add it back to the embedded Data Store in OpenAM UI. Inside OpenDJ -> LDAP user Attributes -> New Value (isMemberOf) . Then we may retrieve this as attribute and pass back to idp proxy and SP

    @holgrs -> I have 2 more questions would like to have some advice.
    When trying with IDP proxy approach , we need to make some configuration change on SP and IDP proxy, which make the SAML request different. For example , this following xml will be added in AuthRequest

        <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                       ProxyCount="1"
                       >
            <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
                <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                ProviderID="http://idp.example.org:8083/openamIDP"
                                />
                <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                ProviderID="idpproxy.example.com"
                                />
            </samlp:IDPList>
            <samlp:RequesterID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    kibana.example.com
    </samlp:RequesterID>
        </samlp:Scoping>

    let say for some reason . we don't want the IDP to know that we are using IDP proxy approach. (As i told you before the IDP is hosted third party). But the xml will for sure "show the true". So is there any way to get rid of that?

    holgrs
    @holgrs
    @capmatch Not sure I got the point. You don't want the Scoping element present in the AuthnRequest? Then just leave it out and proxy all requests.
    capmatch
    @capmatch

    @holgrs -> thx. i have fixed that. Just raised another question on OpenAM GitHub discussion.
    https://github.com/OpenIdentityPlatform/OpenAM/discussions/472

    i would like to use other NAMEID format instead of only "transient" for the IDP proxy. i have tried other format but it will stop forward the SAML response in IDP proxy side. still working on that

    holgrs
    @holgrs
    @capmatch Transient uses non-profile values as nameid. If you do not have user profiles in the IDP proxy, you can use session attributes instead. Map incoming SAML attributes to session attributes and use them for whatever format you want.
    capmatch
    @capmatch

    Hi all, just some question about the SSOconfigurationer. Since i would like to automate the configuration store setup. So i am now trying openam-configurator-tool-14.6.4.jar but running

    java -jar openam-configurator-tool-14.6.4.jar --file config.txt
    null
    Configuration Failed.  The server returned error code :404

    the config.txt is the one i got from install.log during manual configuration store installation and we use that. Have i set something wrong on config.txt so that it don't work?

    ACCEPT_LICENSES=true
    actionLink = createConfig
    DEPLOYMENT_URI=/openam
    ADMIN_CONFIRM_PWD = testing123
    ADMIN_PWD = testing123
    AM_ENC_KEY = 
    AMLDAPUSERPASSWD = abcabc123
    AMLDAPUSERPASSWD_CONFIRM = abcabc123
    BASE_DIR = C:/Users/capho/openamSP
    COOKIE_DOMAIN = sp.example.net
    DATA_STORE = embedded
    DIRECTORY_ADMIN_PORT = 4444
    DIRECTORY_JMX_PORT = 1689
    DIRECTORY_PORT = 50389
    DIRECTORY_SERVER = localhost
    DIRECTORY_SSL = SIMPLE
    DS_DIRMGRDN = cn=Directory Manager
    DS_DIRMGRPASSWD = testing123
    ie7fix = 25
    locale = en_US
    PLATFORM_LOCALE = en_US
    ROOT_SUFFIX = dc=openam,dc=openidentityplatform,dc=org
    SERVER_HOST = sp.example.net
    SERVER_PORT = 8082
    SERVER_URI = http://sp.example.net:8082/openamSP/config/wizard/wizard.htm
    SERVER_URL = http://sp.example.net:8082
    SITE_CONFIGURATION_MAP = {wizardLoadBalancerSiteName=LBEagle, wizardLoadBalancerURL=http://lb.example.com/lb}
    wizardLoadBalancerSiteName = LBEagle
    wizardLoadBalancerURL = http://lb.example.com/lb
    Yassire Elhani
    @yassire
    Hi guys, I get this when I try the Cookie Domain Configuration
    openam_1 | ERROR: ServiceConfigManagerImpl(:iPlanetAMPlatformService) notifyGlobalConfigChange Error sending notification to ServiceListener: com.sun.identity.common.configuration.ConfigurationObserver
    openam_1 | java.lang.NullPointerException
    openam_1 | at java.util.Hashtable.putAll(Hashtable.java:523)
    openam_1 | at com.iplanet.am.util.SystemProperties.initializeProperties(SystemProperties.java:504)
    any idea?
    I use docker to run the image
    derelict-pf
    @derelict-pf

    I have installed OpenDJ twice now on Ubuntu 20.04 Server LTS using the 4.4.11-1 deb package and both times the inetOrgPerson object class is missing.

    It is in config/schema/00-core.ldif but not in the schema when I examine it using the control-panel.

    Nor can I create a simple test user because it complains the object class is missing.

    Some classes are there such as organizationalPerson but not inetOrgPerson.

    No idea what I'm doing wrong.

    Thank you for any pointers provided.

    Maxim Thomas
    @maximthomas
    @yassire Hi, I cant reproduce the issue with the latest docker image. Need more details. Could you create an issue in the GitHub repo https://github.com/OpenIdentityPlatform/OpenAM/issues ?
    Maxim Thomas
    @maximthomas
    @derelict-pf please make sure that instance.loc OpenDJ file points to the correct data directory. As an alternative you can user docker image https://hub.docker.com/r/openidentityplatform/opendj/
    2 replies
    Maxim Thomas
    @maximthomas
    Hello everyone!
    We have just released a new version of OpenDJ 4.4.13, with FIPS support, JSON support, security updates and bug fixes
    https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.13
    Feel free do download!
    Maxim Thomas
    @maximthomas
    Hi @/all
    We have just released a new version of OpenAM 14.6.5, with security updates and bug fixes, SAML, CTS, and user data store improvements and many more!
    https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/14.6.5
    Many thanks to all contributors!
    Feel free do download!
    ehoner9
    @ehoner9
    Hi @All, are there any CDDL Apache 2.4 Linux Policy Agents lower than the ones listed here: https://github.com/OpenIdentityPlatform/OpenAM-Web-Agents/releases?
    i.e. 3.3.x
    harklib
    @harklib
    Hi.
    OpenDJ: Any idea why schema objectClass: posixAccount is not showing up in a ldapsearch and getting a schema violation error saying it's unknown? see here for more detail: https://stackoverflow.com/questions/72747328/opendj-the-ldap-password-modify-operation-failed-65-object-class-violation