OpenIDM LDAP connector types (LiveSync, Implicit Sync)

1. LiveSync:
                    It sync changes from LDAP to OpenIDM  ( LDAP --> OpenIDM)

2. Implicit Sync:
                           It sync changes from IDM to LDAP (OpenIDM --> OpenDJ)

openidm error SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!

Error while configuring OpenAM with OpenDJ

SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!


Solution:

Issues could be IDM is unable to reach OpenDJ

check the following if ds server information is correct

1. DNS name resolution
2. openidm/db/ds/conf/repo.ds-external.json

forgerock OpenIDM and OpenAM integration error "accountClaiming" "Access Denied"

After integrating OpenIDM with OpenAM when you try login to OpenIDM admin console you get

accountClaiming at the url and "Access Denied" error.

Solution:

During integration you should have specified value of "Authorized OIDC SSO Clients"

if you missed this you will get his error. This property is located at


Services --> Oauth2 Provider --> Advanced OpenID Connect

enter value "openidm" at the value of  "Authorized OIDC SSO Clients"

and SAVE

Now if you try to login to the console. You should be able to login to the IDM console with openam username. Any user you are trying to login with should exist in OpenDJ

 

OpenIDM and OpenAM integration error redirect_uri_mismatch

During integration of OpenIDM and OpenAM, once you change the Directory services from local to OpenDJ you will get this error when you try to login.

Solution:

login to OpenAM
click on Top Level realm
from left side select Applications --> OAuth 2.0

on CORE tab go to Redirection URIs
enter the url you think you have put during "Configure Forgerock Identity Provider" section "Configure Access Management" property "Redirection URIs" value

correcting this value will fix this error 

SEVERE: Bundle: org.forgerock.openidm.repo-jdbc [8] FrameworkEvent ERROR

SEVERE: Bundle: org.forgerock.openidm.repo-jdbc [8] FrameworkEvent ERROR
org.apache.felix.log.LogException: org.osgi.framework.BundleException: Activator start error in bundle org.forgerock.openidm.repo-jdbc [8]

 at org.apache.felix.framework.Felix.activateBundle(Felix.java:2290)
        at org.apache.felix.framework.Felix.startBundle(Felix.java:2146)
        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.felix.log.LogException: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Communications link failure

Solution:

Error was fixed after putting &useSSL=false at the end of jdbcUrl in datasource.jdbc-default.json file

"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=false"

 

ClassNotFoundException: com.mysql.jdbc.Driver not found by org.forgerock.openidm.datasource

Using LOGGING_CONFIG: -Djava.util.logging.config.file=/../../forgerock/openidm/conf/logging.properties
[15] Jan 17, 2020 9:53:37.157 PM org.forgerock.openidm.config.logging.LogServiceTracker logEntry
SEVERE: Bundle: org.forgerock.openidm.repo-jdbc [8] FrameworkEvent ERROR
org.apache.felix.log.LogException: org.osgi.framework.BundleException: Activator start error in bundle org.forgerock.openidm.repo-jdbc [8].
        at org.apache.felix.framework.Felix.activateBundle(Felix.java:2290)
        at org.apache.felix.framework.Felix.startBundle(Felix.java:2146)
        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.felix.log.LogException: java.lang.RuntimeException: Failed to load class of driverClassName com.mysql.jdbc.Driver
        at com.zaxxer.hikari.HikariConfig.setDriverClassName(HikariConfig.java:323)
        at org.forgerock.openidm.datasource.jdbc.impl.HikariCPDataSourceFactory.newInstance(HikariCPDataSourceFactory.java:33)
        at org.forgerock.openidm.datasource.jdbc.impl.JDBCDataSourceService.initDataSourceService(JDBCDataSourceService.java:133)
        at org.forgerock.openidm.datasource.jdbc.impl.JDBCDataSourceService.newInstance(JDBCDataSourceService.java:124)
        at org.forgerock.openidm.datasource.jdbc.JDBCDataSourceServiceFactory.newInstance(JDBCDataSourceServiceFactory.java:128)
        at org.forgerock.openidm.repo.jdbc.impl.Activator.start(Activator.java:68)
        at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:697)
        at org.apache.felix.framework.Felix.activateBundle(Felix.java:2240)
        ... 4 more
Caused by: java.lang.ClassNotFoundException: com.mysql.jdbc.Driver not found by org.forgerock.openidm.datasource [6]
        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639)
        at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80)
        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
        at com.zaxxer.hikari.HikariConfig.setDriverClassName(HikariConfig.java:318)
        ... 11 more


Cause:

you forgot to copy mysql .jar files under openidm/bundle

copying will fix this error

opendj rename using ./dsconfig error Unable to connect to the server at "dsa.avantastech.com" 4444

issue:

I have followed forgerock opendj rename instructions and i was getting unable to connect error, even LDAP server was up and running.


./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 5444 --hostname dsa.avantastech.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsb.avantastech.com --trustAll

Unable to connect to the server at "dsa.avantastech.com" on port 5444



instructions i followed

How do I change the hostname for DS/OpenDJ (All versions)?

The purpose of this article is to provide information on changing the hostname for a DS/OpenDJ server. This article covers both replicated and non-replicated servers.

Changing the hostname

This process uses the following example server hostnames:

• Original hostname: dsA.example.com
• New hostname: dsB.example.com
• Hostname of another replicated server: dsZ.example.com

To change the server hostname:

1. Direct client applications to other servers.
2. Prevent the server from accepting updates from client applications using the following command:

   $ ./dsconfig set-global-configuration-prop --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:internal-only --trustAll --no-prompt
   

3. If the server is replicated, disable replication using the dsreplication command applicable to your version:
   • DS 5 and later:

     $ ./dsreplication unconfigure --unconfigureAll --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --adminPassword password --trustAll --no-prompt

   • Pre-DS 5:

     $ ./dsreplication disable --disableAll --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --adminPassword password --trustAll --no-prompt
     

4. Change the hostname details in the /etc/hosts file and/or on the DNS.
5. Change the server-fqdn in the DIGEST-MD5 entry using the following command:

   $ ./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsB.example.com --trustAll
   

6. Restart DS/OpenDJ:

   $ ./stop-ds
   $ ./start-ds

7. Regenerate all self-signed certificates. See Administration Guide › Preparing For Secure Communications and Administration Guide › Changing Server Certificates for further information.
8. Restart DS/OpenDJ:

   $ ./stop-ds
   $ ./start-ds

9. If the server was replicated, enable replication on the new server using the dsreplication command applicable to your version:
   • DS 5 and later:

     $ ./dsreplication configure --adminUid admin --adminPassword password --baseDn dc=example,dc=com --host1 dsZ.example.com --port1 4444 --bindDn1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 dsB.example.com --port2 4444 --bindDn2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt

   • Pre-DS 5:

     $ ./dsreplication enable --adminUID admin --adminPassword password --baseDN dc=example,dc=com --host1 dsZ.example.com --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 dsB.example.com --port2 4444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt

10. If the server was replicated, initialize the new server to ensure it has all the changes that have occurred since you disabled replication:

    $ ./dsreplication initialize --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostSource dsZ.example.com --portSource 4444 --hostDestination dsB.example.com --portDestination 4444 --trustAll --no-prompt

11. Re-enable the server to accept updates from client applications using the following command:

    $ ./dsconfig set-global-configuration-prop --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:enabled --trustAll --no-prompt

on step 5 i was getting unable to find server error. I was using my local server host file to change dns name. logs was showing serera cant be find.

Solution:

I have changed the command to

./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 4444 --hostname dsB.example.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsB.example.com --trustAll

and run the command. I was getting confirmation about the correct name. I selected option "f" to confirm and it worked.