DJLDAPv3Repo plugin class in OpenAM 11.0.0 causes User has no profile in this organization error when user authenticates
The purpose of this article is to provide assistance if you receive a User has no profile in this organization message when a user authenticates in OpenAM 11.0.0. This occurs when the LDAP entry RDN does not match the authenticated attribute and only affects the LDAP or Active Directory® authentication modules; it is caused by the DJLDAPv3Repo plugin class that was introduced in OpenAM 11.0.0.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following message is shown when the user successfully authenticates to OpenAM:
User has no profile in this organizationAn error similar to the following is shown when you click on any user in the Subjects tab in the OpenAM console or make a REST call to the /json/users end point (or legacy /identity/attributes end point):
Identity John Doe of type user not foundRecent Changes
Upgraded to OpenAM 11.0.0.
Implemented an LDAP or Active Directory authentication module.
Changed the Authentication Naming Attribute (sun-idrepo-ldapv3-config-auth-naming-attr) and / or the LDAP Users Search Attribute (sun-idrepo-ldapv3-config-users-search-attribute), which means the attribute is no longer used in the LDAP entry RDN.
Causes
OpenAM 11.0.0 uses the DJLDAPv3Repo plugin class rather than the LDAPv3Repo plugin class for the Generic LDAPv3 data store. This updated plugin changes how the Authentication Naming and LDAP Users Search attributes are used; the RDN value is always returned when searching rather than the Search attribute value. This means you can successfully authenticate but the authentication module cannot find your user profile.
Note
The User has no profile in this organization message can also occur as a result of misconfiguration.
Solution
This issue can be resolved by upgrading to OpenAM 11.0.1 or later; you can download this from BackStage. This reverts the way in which the Authentication Naming and LDAP Users Search attributes are used to match pre-11.0.0 versions of OpenAM. The Authentication Naming Attribute is now only used to find the user when performing authentication and the LDAP Users Search Attribute is used in other cases when searching for users.
See Also
Related Training
N/A