Solutions

isMemberOf attribute does not return current group membership details for a user in AM/OpenAM (All versions)

Last updated Jun 14, 2019

The purpose of this article is to provide information on getting up-to-date group membership details for a user in AM/OpenAM using the REST API and the DS/OpenDJ isMemberOf attribute.


2 readers recommend this article

Symptoms

The value of the isMemberOf attribute does not show the latest group membership data when queried via REST. For example, if you update a user's group membership and then perform a simple GET on that user (assuming your data store has been configured to use the isMemberOf attribute for group membership), you will see old membership data returned for the user:

Example

  1. Check user's group membership:
    $ curl -X GET http://host1.example.com:8080/openam/json/realms/root/users/demo
    
    ...
     "isMemberOf": [
            "cn=adminGroup,ou=groups,dc=example,dc=com"
    
  2. Add the user to a new group:
    $ curl -X PUT -H "Content-type: application/json" -H "Accept-API-Version: resource=3.0" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -d'{
        "uniquemember":["uid=demo,ou=people,dc=example,dc=com"]
    }' http://host1.example.com:8080/openam/json/realms/root/groups/newGroup
  3. Check the user's membership again:
    $ curl -X GET http://host1.example.com:8080/openam/json/realms/root/users/demo
    
    ...
     "isMemberOf": [
            "cn=adminGroup,ou=groups,dc=example,dc=com"
    
    The expected result is:
     "isMemberOf": [
            "cn=newGroup,ou=groups,dc=example,dc=com"
    

You can see the correct group membership details on the Identities page (previously the Subjects tab) in the AM/OpenAM console.

Recent Changes

N/A

Causes

The 'isMemberOf' attribute is a virtual operational attribute in DS/OpenDJ. Virtual attributes are not updated by the persistent search mechanism, which means AM/OpenAM does not receive notifications of changes to cached data that would normally occur with a regular attribute and therefore assumes that all the attributes still have the same values.

The Identities page within the console queries the membership of LDAP static groups and does not rely on caching at all, which is why this view is accurate.

Solution

A new option has been added to the users endpoint in AM 6 that allows you to query groups for an individual user. For example:

$ curl -X GET -H 'Accept: application/json' 'http://host1.example.com:8080/openam/json/realms/root/users/demo/groups?_queryFilter=true'

Example response:

{
  "result": [
    {
      "_id": "newGroup",
      "_rev": "635651178",
      "groupname": "newGroup"
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": 0
}

isMemberOf attribute

You can use one of the following options to ensure current information is returned when using the isMemberOf attribute:

  • Perform a pseudo update on a user entry when group memberships are changed to trigger the persistent search notification. For example, when you change the group membership you could also do one of the following at the same time to trigger the persistent search notification:
    • Update an existing regular attribute (for example, mail) with the same value it already has.
    • Update a user attribute that's not used for other purposes.
  • Use time-based IdRepo cache aging (Time-to-Live) to give you confidence in data accuracy based on the cache age configured. See FAQ: Caching in AM/OpenAM(Q. How can I control caching for configuration and user data using ssoadm? > Time-to-Live) for further information on setting these properties.
  • Disable the IdRepo cache completely. See Setup and Maintenance Guide › To Turn Off Global User Data Caching for further information. You should test this in a pre-production environment first to assess what impact this has on your setup.
Caution

Disabling the IdRepo cache can have a severe negative impact on performance, since AM/OpenAM must query the data store each time it needs data when caching is disabled. Additionally, there is a known issue in OpenAM 13.0: OPENAM-8269 ("AuthId JWT Signature not valid" error in multi-instance deployments on 13). See Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error for further information.

See Also

FAQ: Caching in AM/OpenAM

isMemberOf values not returned with an anonymous ldapsearch in OpenDJ 2.6.3, 2.6.4 and 3.0

Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error 

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9030 (Improve group management implementation)

OPENAM-8521 (CacheBlockBase will deadlock when com.sun.identity.idm.cache.entry.expire.enabled=true)

OPENAM-8269 ("AuthId JWT Signature not valid" error in multi-instance deployments on 13)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...