Solutions
Archived

DJLDAPv3Repo plugin class in OpenAM 11.0.0 causes User has no profile in this organization error when user authenticates

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you receive a User has no profile in this organization message when a user authenticates in OpenAM 11.0.0. This occurs when the LDAP entry RDN does not match the authenticated attribute and only affects the LDAP or Active Directory® authentication modules; it is caused by the DJLDAPv3Repo plugin class that was introduced in OpenAM 11.0.0.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following message is shown when the user successfully authenticates to OpenAM:

User has no profile in this organization

An error similar to the following is shown when you click on any user in the Subjects tab in the OpenAM console or make a REST call to the /json/users end point (or legacy /identity/attributes end point):

Identity John Doe of type user not found

Recent Changes

Upgraded to OpenAM 11.0.0.

Implemented an LDAP or Active Directory authentication module.

Changed the Authentication Naming Attribute (sun-idrepo-ldapv3-config-auth-naming-attr) and / or the LDAP Users Search Attribute (sun-idrepo-ldapv3-config-users-search-attribute), which means the attribute is no longer used in the LDAP entry RDN.

Causes

OpenAM 11.0.0 uses the DJLDAPv3Repo plugin class rather than the LDAPv3Repo plugin class for the Generic LDAPv3 data store. This updated plugin changes how the Authentication Naming and LDAP Users Search attributes are used; the RDN value is always returned when searching rather than the Search attribute value. This means you can successfully authenticate but the authentication module cannot find your user profile. 

Note

The User has no profile in this organization message can also occur as a result of misconfiguration.

Solution

This issue can be resolved by upgrading to OpenAM 11.0.1 or later; you can download this from BackStage. This reverts the way in which the Authentication Naming and LDAP Users Search attributes are used to match pre-11.0.0 versions of OpenAM. The Authentication Naming Attribute is now only used to find the user when performing authentication and the LDAP Users Search Attribute is used in other cases when searching for users.

See Also

OpenAM Administration Guide › Defining Authentication Services › Hints for the Active Directory Authentication Module

OpenAM Administration Guide › Defining Authentication Services › Hints for the LDAP Authentication Module

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3428 (DJLDAPv3Repo breaks Active Directory when using sAMAccountName as naming attribute with the DN being the CN)

OPENAM-3385 (DJLDAPv3Repo Error Unexpected Results Returned when searching Active Directory users from the root)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.