0

I'm trying to use WSO2IS with an Active Directory LDS.

Using the store to display and read users is no problem. However when editing a user, there's a hiccup.

The users are situated in OUs in the AD and in the synced AD LDS. (We use the AD LDS to add user attributes without changing the original AD.)

When I edit a user it will be moved by the IS to the UserSearchBase. IS is still able to show the user - for now.
When the AD LDS is synced with the AD, the user will be moved back to its original OU.
The IS will not be able to find the user, because it is still looking for the user in the "new" location in the UserSearchBase root.

Only if I restart the IS, the user will be found again.

I tried to recreate the behaviour by hand:

  1. Create user in an OU situated in the UserSearchBase
  2. Edit the user with IS
  3. Move the user back to its original location in the OU in the AD
  4. IS throws error

Is there a way to tell the IS to leave the user DN/location as is?
Is there a way to disable caching? (Without impact on performance?)

Regards, Mat

Community
  • 1
  • 1
Mat
  • 108
  • 7

1 Answers1

1

This looks like a known issue with Cache Expiry Bug 6471. Please see if the description matches your exception trace.

There is a fix going on for the above. That will be available on future release.

You can also build from the public repository once the fix is done, if this is the case.

Workaround

You can edit and save the user store, if his user store is configured with the UI. You do not need to change any value. This will cause a new instance to be created, thus re-creating the cache.

Ruwan Abeykoon
  • 269
  • 2
  • 6
  • Thank you! That looks exactly like my issue. When I first worked on the problem this Bug in your Jira did not yet exist, and I did not have a look there since then. Is there a timeframe for the fix? Unfortunately the workaround is no viable workaround, since it is the primary userstore and we do not always know when (or if) the DNs are updated externally. – Mat Oct 09 '17 at 08:06
  • The fix will be available in next release. It has been fixed recently with latest [Kernel 4.4.x](https://github.com/wso2/carbon-kernel/tree/4.4.x) with [Pull Request](https://github.com/wso2/carbon-kernel/pull/1576). You can checkout the tag [v4.4.11](https://github.com/wso2/carbon-kernel/tree/v4.4.11) and apply the change in the [Pull Request](https://github.com/wso2/carbon-kernel/pull/1576) on top of it. Then Build, and replace the *org.wso2.carbon.user.core-4.4.11.jar* – Ruwan Abeykoon Oct 09 '17 at 09:16
  • Hi @Ruwan, I cannot seem to get it working: `ERROR {org.wso2.carbon.tomcat.internal.CarbonTomcat} - error while parsing xml stream java.lang.ClassNotFoundException: org.wso2.carbon.identity.auth.valve.AuthenticationValve` So... Did I do everything correct? `git clone https://github.com/wso2/carbon-kernel.git; cd carbon-kernel; git checkout tags/v4.4.11; git fetch origin pull/1576/head:cachefix; git merge cachefix; mvn clean install` Or is there something wrong? Thx – Mat Oct 25 '17 at 13:10
  • I think "git merge cachefix;" has merged entire code base, to the 4.4.11 kernel, and will be incompatible. You need only to cherry-pick the change in the PR only. [cherry-pick-a-pr-pull-request-from-github](https://lalatendu.org/2015/12/02/cherry-pick-a-pr-pull-request-from-github/) might help. – Ruwan Abeykoon Oct 26 '17 at 15:07
  • By the way, I am working on a different improvement. Will be available in few days, if you can wait. – Ruwan Abeykoon Oct 26 '17 at 15:08
  • Tank you Ruwan! The cherry picking wont work either - unfortunately. `error: core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java: patch does not apply...`. After applying all the changes (as far as possible) to the classes by hand, i was able to build and use the jar. But I get `ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block `. Is there a timeframe for the new release with the working cache fix? – Mat Oct 27 '17 at 11:28
  • The official fix will be available on 5.4.0. This would be end of 2017. – Ruwan Abeykoon Oct 27 '17 at 14:07