Wikis - Page

Knowledge Document: Error 489 when looking at a user's assigned permissions in UserApplication

0 Likes

489 error when accessing a user's assigned permissions and a NullPointerException in catalina.out

Labels:

Support Tips/Knowledge Docs
Comment List
  • Summary version - you might have objects missing attributes, like an nrfResourceAssociation with only an nrfRole or nrfResource value but not both. Or a couple other errors of that type. And I guess ID Apps do not handle these errors well. The other big one, I have run into as well is a nrfResource or nrfRole that is missing one of the naming attributes.  The CN is there, since the object exists but the nrfLocalizedName or nrfLocalizedDescr is missing.

    They recommend just the most adorable script (Like a Build a Bear adorable)  someone in support must have written to gather data who is very clever at shell scripting, and one of the steps is a bunch of LDAP Queries, which I have to admit are done in a very clever way.  They define an array of LDAP queries, and then for-each over the array. 

    The queries are:

    		"Root DSE"									"-b \"\" -s base"
    		"RBPM Trusted Root Certificate Validity"	"-b \"$TRUSTROOT_CONTAINER\" -s sub nDSPKINotAfter"
    		"NCP Server Index Search"					"-b \"$DSA_NAME\" -s base indexDefinition|grep -i surname | grep '0\\\$0\\\$*\\\$1\\\$'"
    		"User App Administrator - Assigned Roles"	"-b \"$UA_ADMIN\" -s base nrfAssignedRoles securityEquals"
    		"Navigation objects"						"-b \"$NAV_ITEMS\" -s one cn"
    		"AppConfig Version"							"-b \"$DRIVER_SET\" -s sub \"(objectclass=srvprvAppConfig)\" version"
    		"IDM Engine Version"				"-b \"cn=EngineVersion,cn=IDM,cn=Monitor\" -s base |grep -i \"engineversion:\" "
    		"Resourceassociations missing nrfRole or nrfResource"	"-b \"cn=ResourceAssociations,cn=RoleConfig,cn=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfResourceAssociation)(|(!(nrfResource=*))(!(nrfRole=*))))\" DN nrfResource nrfRole|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\" "
    		"Roles missing nrfLocalizedNames or nrfLocalizedDescrs" "-b \"cn=RoleDefs,cn=RoleConfig,cn=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfRole)(|(!(nrfLocalizedNames=*))(!(nrfLocalizedDescrs=*))))\" DN nrfLocalizedDescrs nrfLocalizedNames|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\""
    		"Resources missing nrfLocalizedNames or nrfLocalizedDescrs" "-b \"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass= 	nrfResource)(|(!(nrfLocalizedNames=*))(!(nrfLocalizedDescrs=*))))\" DN nrfLocalizedDescrs nrfLocalizedNames|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\""
    		"Level10 roles with wrong nrfRoleLevel" "-b \"CN=Level10,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfRole)(|(!(nrfRoleLevel=10))))\" DN nrfRoleLevel|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\""
    		"Level20 roles with wrong nrfRoleLevel" "-b \"CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfRole)(|(!(nrfRoleLevel=20))))\" DN nrfRoleLevel|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\""
    		"Level30 roles with wrong nrfRoleLevel" "-b \"CN=Level30,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfRole)(|(!(nrfRoleLevel=30))))\" DN nrfRoleLevel|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\""
    
    		"Driverset Java options"					"-b \"$DRIVER_SET\" -s base DirXML-JavaEnvironmentParameters"
    		"Driverset Global Configuration Values"		"-b \"$DRIVER_SET\" -s sub \"(objectclass=DirXML-GlobalConfigDef)\" DirXML-ConfigValues"
    		"Drivers"									"-b \"$DRIVER_SET\" -s sub \"(objectclass=DirXML-Driver)\" $DRIVER_QUERY_ATTRIBUTES"
    		"User Application Driver"					"-b \"$DRIVER_SET\" -s sub \"(&(objectclass=DirXML-Driver)(DirXML-JavaModule=\"$USERAPP_CLASS\"))\" $DRIVER_ATTRIBUTES"
    		"Role and Resource Service Driver"			"-b \"$DRIVER_SET\" -s sub \"(&(objectclass=DirXML-Driver)(DirXML-JavaModule=\"$RRSD_CLASS\"))\" $DRIVER_ATTRIBUTES"
    		"Mail Notification"							"-b \"$MAIL_NOTIFICATION\" -s base notfSMTPEmailFrom notfSMTPEmailHost"
    		"Configuration XmlData"                     "-b \"$CONFXMLDATA\" -s base XmlData"
    
                    "Configuration RoleConfig nrf* attribute presence"                     "-b \"$ROLECONFIGURATIONATTR\" -s base -A |grep nrf"
                    "Number of Roles present in UserApp Driver"                     "-b \"$USERAPP_DRIVER\" -s sub \"(objectClass=nrfRole)\" DN|grep -i \"dn:\"|wc -l"
                    "Number of Resources present in UserApp Driver"                 "-b \"$USERAPP_DRIVER\" -s sub \"(objectClass=nrfResource)\" DN|grep -i \"dn:\"|wc -l"
                    "Number of PRD present in UserApp Driver"                     "-b \"$USERAPP_DRIVER\" -s sub  \"(&(objectClass=srvprvRequest)(srvprvStatus=Active)(srvprvProcessType=*))\" DN|grep \"cn=\"|grep -v \"with scope subtree\"|wc -l"
                    "Number of objects in Requests container"                     "-b \"$REQUESTS\" -s base subordinatecount |grep -i -e dn -e subordinatecount"
                    "Servers"                                                       "-b \"\" -s sub objectClass=NCPserver dn version"
    		"Certificates"                                                  "-b \"\" -s sub objectClass=NDSPKIKeyMaterial NDSPKINotAfter NDSPKISubjectName cn"
                    "CRLConfiguration"                                              "-b \"cn=security\" -s sub objectClass=ndspkiCRLConfiguration ndspkiDistributionPoints ndspkiCRLFileName"
                    "TreeRoot EBA attribute presence"                               "-b \"\" -s sub -A objectClass=TreeRoot  EBAPartitionConfiguration EBATreeConfiguration"
                    "DirXML Jobs"                                                   "-b \"\" -s sub objectClass=DirXML-Job DirXML-ServerList DirXML-TraceLevel DirXML-TraceFile DirXML-Scope DirXML-EmailServer XmlData"
                    "LDAP SCHEMA"                                                   "-b \"cn=schema\" -s base"

    They give a nice english name to each query and you can see what they are doing in each case, and probably learn something.

    So the missing resourceassociation is this line:

    "Resourceassociations missing nrfRole or nrfResource"	"-b \"cn=ResourceAssociations,cn=RoleConfig,cn=AppConfig,$USERAPP_DRIVER\" -s sub \"(&(objectclass=nrfResourceAssociation)(|(!(nrfResource=*))(!(nrfRole=*))))\" DN nrfResource nrfRole|grep -v \"#\"|grep -iv \"search:\"|grep -iv \"result:\" "
    

    So the query has -b, base set to the Appconfig container, and the LDAP query itself is:

    (&(objectclass=nrfResourceAssociation)(|(!(nrfResource=*))(!(nrfRole=*))))

    Which you can break down to be more readable as:

    (&
        (objectclass=nrfResourceAssociation)
        (|
            (!(nrfResource=*))
            (!(nrfRole=*))
        )
    )

    which is to say find all the nrfResourceAssociatoion objects, AND also, check if EITHER nrfRole or nrfResrouce is missing.

    There are a bunch of good and clever ideas in there.  Worth a read, I recommend it.  I have been working on shell scripts of late for tooling and this one gives me some ideas, so this was fun.

Related
Recommended