Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2017-02-15

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:02 aldaris joined #openam
02:13 jelmd joined #openam
02:49 ilbot3 joined #openam
02:49 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 13.5.0 is out! OpenAM 12.0.4 is out! Channel logs at: http://irclog.perlgeek.de/openam/today
03:07 abyss joined #openam
07:19 aldaris joined #openam
07:40 aldaris joined #openam
07:41 aldaris joined #openam
07:45 KermitTheFragger joined #openam
08:22 aldaris joined #openam
10:27 aldaris joined #openam
12:05 jjpp hi.
12:07 jjpp i am having weird effects with openam idm cache. for a while after container restart everything is okay. but after some intense testing where the users are created and removed etc some changes will be missing from the cache.
12:07 jjpp it kind of feels that there is some kind of race in processing psearch results or something.
12:08 jjpp where is the code that deals with (id repo) psearches and what should i look for in debuglogs?
12:10 jjpp (also, it kind of seems that there are changes that should have happened together. and i can see change that happened later in the code but not those before)
12:10 jjpp (come to think of it, it might be that what are missing are the fields that were added)
12:45 aldaris joined #openam
13:20 jelmd joined #openam
13:25 jjpp hm.
13:26 jjpp it seems that my psearch is killed because of some unparseable dn returned from ldap.
13:27 jjpp the connection is not recovered. and stuff will act strange.
13:27 jjpp https://bugster.forgerock.org/jira/browse/OPENAM-8570 might be related but I am not sure
13:32 asyd ahh openam and cache..
13:33 asyd i almost remember some nightmares
13:38 jjpp https://bugster.forgerock.org/jira/browse/OPENAM-10631
13:46 asyd good luck
13:46 aldaris the DN parsing is a new bug
13:46 aldaris IdRepoListener#getChangedIds really shouldn't string concatenate DNs…
13:52 jjpp for my short term purpose i just built a version where handle is wrapped into try { } catch(Exception ex) { DEBUG.error("panic", ex); }
13:52 jjpp the handle method in that psearch handler, that is.
14:23 jjpp hm, reproducing the parse error with clear and simple steps is hard. unless the steps are "echo something | ldapmodify". then again, i kind of remember that "openam is a consumer of identity data" and in that sense -- it should survive whatever i decide to put into repo. at least as long as the whatever is under some uninteresting-for-openam branch of directory tree..
14:23 aldaris should be easy
14:23 aldaris change a user that has funny characters in its uid (assuming uid is the configured search attribute)
14:23 aldaris then wait for the failure to happen
14:25 jjpp hmjah. should (re)start my testinstall.
14:25 MegaMatt \0x41\0x41\0x41\0x41\0x41\0x41\0x41
18:11 aldaris joined #openam
19:56 aldaris joined #openam
20:23 aldaris joined #openam
21:06 aldaris joined #openam
22:59 jelmd OPENAM-10648: what should I look for (log produces within seconds 4000 entries), not really helpful, if one doesn’t know, what is needed …
23:00 aldaris hey there
23:00 jelmd hey
23:00 aldaris I'm Peter from the issue comment
23:00 jelmd ah ok, hi
23:00 aldaris catalina.out could prove helpful
23:01 aldaris or turn on message level debug logging
23:01 aldaris but I have a sad feeling that the exception is not logged
23:02 jelmd last line in catalina.out is: 15-Feb-2017 21:13:01.606 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 20739 ms
23:02 aldaris is localhost.log better?
23:02 jelmd so nothing there
23:03 jelmd host-manager.*, manager.* and localhost.* all have 0 bytes
23:04 jelmd however, debug.out has several DirectoryExceptions, but I’m not sure, whether they are expected or not
23:04 aldaris one shouldn't see those too often
23:05 jelmd e.g. org.opends.server.types.DirectoryException: The search base entry 'ou=default,ou=GlobalConfig,ou=1.0,ou=RestApisService,ou=services,dc=openam,dc=forgerock,dc=org' does not exist
23:05 aldaris that could be because of the overly verbose embedded dj log
23:05 jelmd or  org.opends.server.types.DirectoryException: The search base entry 'o=authenticate,ou=services,dc=openam,dc=forgerock,dc=org' does not exist
23:05 jelmd com.iplanet.sso.SSOException: Invalid session ID.
23:05 jelmd Caused by: com.iplanet.dpro.session.SessionException: Invalid session ID.
23:05 jelmd ERROR processIndexType/SSOToken validation - com.iplanet.sso.SSOException: Invalid session ID.
23:06 aldaris yeah, those aren't helping
23:06 aldaris are you a techie person?
23:06 aldaris can you compile stuff? :)
23:07 jelmd yes, I’ve compile openam by myself.
23:07 jelmd http://pastebin.com/jSnDFNwX
23:07 jelmd all the exceptions grepped in the debug.out
23:08 aldaris none of them are really helping
23:10 jelmd yeah. Dueto the JS stuff it is hard to find out, what the client actually should do (and how the server should respond)
23:10 aldaris the server shouldn't throw that http 500
23:10 aldaris the problem is I can't tell if the problem happens within the rest endpoint itself or somewhere before
23:11 aldaris AuthenticationServiceV1 is the class that should deal with that call btw
23:12 jelmd hmmm
23:12 jjpp rest authentication has a bit of a problem reporting various failures, imho. my usual take is to recreate issue and try to scroll up from the end of debuglog.
23:13 jjpp i look for exceptions (large obvious stacktraces). and skip few of the last ones that are related to not being able to get (invalid) sso token
23:13 jjpp because these are usually some aftermath that cannot properly happen because of some earlier problem
23:14 jjpp then again, i have a few years of experience in ignoring all the stuff in debuglog that is not important at that point (but quite useful on some other occasions:)
23:16 aldaris jelmd I would love to get to the bottom of this issue, so feel free to ask things
23:16 jjpp also, if you can find the thread name of the thread that served the request, you could grep out just this particular thread
23:16 aldaris unfortunately you will need to get your hands dirty for this, and I apologize for that...
23:17 jjpp grep -A 1 might be useful to get the lines after those that have thread name.
23:18 jelmd ok - just looking through the debug.out for other smelling stuff
23:18 MegaMatt Just give aldaris a shell on the box >:)
23:18 jelmd The search base entry 'ou=default,ou=GlobalConfig,ou=1.0,ou=RestApisService,ou=services,dc=openam,dc=forgerock,dc=org' does not exist
23:18 jelmd org.opends.server.types.DirectoryException: The search base entry 'ou=default,ou=GlobalConfig,ou=1.0,ou=RestApisService,ou=services,dc=openam,dc=forgerock,dc=org' does not exist
23:18 jelmd at org.opends.server.backends.pluggable.EntryContainer.fetchBaseEntry(EntryContainer.java:2639)
23:19 jelmd expected?
23:19 aldaris it really hurts adoption if people can't run the thing :(
23:19 aldaris ignore it for now
23:19 aldaris and I would strongly suggest to disable mergeall and ignore the EmbeddedDJ file completely
23:20 jelmd well, I can give you the full logs (just don’t wanna attache it to JIRA)
23:21 jjpp jelmd: btw, are both of your browsers configured to use de locale_
23:22 jelmd and basically I’ve no problem with the shell ;-) - just need to know, which ports(ip to open :)
23:22 jjpp and.. what will happen if you do curl -v -X POST http://my.do.main:8080/openam/json/authenticate _
23:22 aldaris as a test, can you run a simple curl against it?
23:22 jelmd I can check, usuall en_US, en, de_DE and de
23:22 jjpp hm, Content-type is needed too
23:23 jjpp curl -v -X POST -H 'Content-type: application/json' http://my.do.main:8080/openam/json/authenticate
23:23 aldaris curl -X POST -H "Content-Type: application/json" -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Cache-Control: no-cache" -d '{}' "http://idp.example.com:8080/openam/json/authenticate"
23:25 jelmd nothing
23:25 aldaris curl -v
23:25 jelmd exit code 0
23:30 jelmd same thing: http://pastebin.com/QNXxYTxi
23:31 aldaris still very strange...
23:31 jjpp what is the real hostname of your openam server?
23:31 jelmd for now it is cal.iks.cs.ovgu.de
23:32 jjpp seems legit. nothing that could cause parse errors.
23:32 jelmd yepp
23:34 jelmd the rest req are embedded in real ldap request or does it use a different port?
23:34 jjpp it feels that there is something fishy in the environment of openam. locale, weird jvm, ?
23:34 jelmd vanilla Oracle JDK.
23:40 jjpp i would check the locale of container and possibly try to run it with C or en_US.UTF-8, just to be sure.
23:42 jjpp and if that does not help, then as a next step -- try to find the request from the debug log and follow the thread since the beginning, reading and understanding the code.
23:44 jelmd LANG = en_US.UTF-8
23:45 jjpp hm.
23:45 jelmd sun.jnu.encoding = UTF-8 ; user.country = US;
23:45 jjpp can you do grep -A 2 -i error do the debug log as well?
23:45 jjpp s/do/to
23:45 jjpp eh
23:45 jelmd np
23:46 aldaris so
23:46 aldaris it turns out that the json/authenticate call failed because you had an invalid cookie domain value
23:46 aldaris latest tomcat versions frown upon cookie domains that start with .
23:47 jjpp hm. okay. i was already thinking of outofmemoryerrors and such..
23:47 aldaris OPENAM-1983 was only fixed in 13.5.0 sadly
23:47 jelmd hmmm - so autosetup has a bug?
23:47 aldaris that improved cookie domain handling a lot
23:48 jelmd uhhm
23:48 aldaris can't recall the timing of things
23:49 aldaris but IIRC the new tomcat version that enforced cookie domains only got released after 13, but I may have just made this up :)
23:50 jelmd so question is, how to fix it for an instance?
23:50 aldaris https://bugster.forgerock.org/jira/browse/OPENAM-8668
23:50 jjpp aldaris: does https://bugster.forgerock.org/jira/browse/OPENAM-8657 mean that there is no working way to get idle time in 13.0?
23:51 aldaris jelmd: run ssoadm set-attr-defs to change the cookie domain
23:51 aldaris jjpp: no, it just means it is sometimes unreliable
23:51 jelmd ok. checking the manuals …
23:53 aldaris ssoadm set-attr-defs -u amadmin -f .pass -s iPlanetAMPlatformService -t global -a "iplanet-am-platform-cookie-domains=foobar.com"
23:53 jjpp aldaris: hm, ok. my automated tests fail on that. i see a workaround, for the tests, though

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary