Solutions

Warnings about identity mappers on startup after upgrading to DS 6.x

Last updated Nov 6, 2019

The purpose of this article is to provide assistance if you see warnings about an identity mapper that "references attribute type uid which does not have an equality index defined in backend cfgStore" on startup. These warnings only occur after installing or upgrading to DS 6.x.


Symptoms

The following warnings are shown in the Errors log after starting DS:

[25/Sep/2019:17:11:39 +0200] category=EXTENSIONS severity=WARNING msgID=566 msg=The regular expression identity mapper defined in configuration entry cn=Regular Expression,cn=Identity Mappers,cn=config references attribute type uid which does not have an equality index defined in backend cfgStore
[25/Sep/2019:17:11:39 +0200] category=EXTENSIONS severity=WARNING msgID=565 msg=The exact match identity mapper defined in configuration entry cn=Exact Match,cn=Identity Mappers,cn=config references attribute type uid which does not have an equality index defined in backend cfgStore

Recent Changes

Upgraded to, or installed DS 6 or later.

Causes

DS has two identity mappers (Exact Match and Regular Expression) which are described in the documentation: Developer's Guide › Authenticating To the Directory Server. They use the match-attribute specified for searching; by default this attribute is uid, but you can choose a different attribute if required.

As of DS 6, a warning is now included in the logs if this match-attribute is not indexed on the appropriate backend.

Solution

This issue can be resolved by creating an index for the attribute specified in the warning. For example, with the log snippets above, you would need to create an equality index for the uid attribute on the cfgStore backend. See Administration Guide › Create a New Index for further information.

Disabling identity mappers

If you do not use identity mappers at all (that is, there are no entries using the specified attribute (for example, uid) in the AM configuration store or CTS backend) you can disable them. However, if cfgStore is the AM configuration store, you will have uid=amadmin at the very least so would need to leave the identity mappers enabled.

You can disable an identity mapper using the dsconfig delete-identity-mapper command, for example:

$ ./dsconfig delete-identity-mapper --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --mapper-name mapperName --trustAll --no-prompt

See Also

How do I verify indexes in DS/OpenDJ (All versions) are correct?

How do I troubleshoot issues with my indexes in DS/OpenDJ (All versions)?

Configuration Reference › Identity Mapper

Configuration Reference › Exact Match Identity Mapper Properties: match-attribute

Configuration Reference › Regular Expression Identity Mapper Properties: match-attribute

Administration Guide › Configuring and Rebuilding Indexes

Administration Guide › Index Types and Their Functions

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...