Permission to perform the read operation denied with not embedded DataStore user

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Permission to perform the read operation denied with not embedded DataStore user

Ana Pereyra
Hi everybody. We have been working with custom realms and are stuck with a problem: when we use the default realm and create an user in the embedded DataStore, we authenticate successfully and recieve the expected token. We can retrieve information about the user. Besides, we have created a new realm and created users there. We authenticate successfully, recieve the token but when trying to retrieve the user's information we get the following error:

{
 "code": 403,
 "reason": "Forbidden",
 "message": "Permission to perform the read operation denied to cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
}

To sum up, when the user authenticates against the root realm, we are able to get the user information, but when we use another realm that is not the default one, we get an error. How do we configure the realm permissions so each user can read his own attributes? Thank you very much.

Ana Pereyra
 Identicum S.A.
Anchorena 1357 PB, Argentina
Tel: +54 (11) 
4824.9971

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Bernhard Thalmayr
Which OpenAM version and which REST call is being used?

-Bernhard


Am 10/06/16 um 22:20 schrieb Ana Pereyra:

> Hi everybody. We have been working with custom realms and are stuck with
> a problem: when we use the default realm and create an user in the
> embedded DataStore, we authenticate successfully and recieve the
> expected token. We can retrieve information about the user. Besides, we
> have created a new realm and created users there. We authenticate
> successfully, recieve the token but when trying to retrieve the user's
> information we get the following error:
>
> {
>  "code": 403,
>  "reason": "Forbidden",
>  "message": "Permission to perform the read operation denied to
> cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
> }
>
> To sum up, when the user authenticates against the root realm, we are
> able to get the user information, but when we use another realm that is
> not the default one, we get an error. How do we configure the realm
> permissions so each user can read his own attributes? Thank you very much.
>
> *Ana Pereyra*
>  Identicum S.A.
> /Anchorena 1357 PB, Argentina
> Tel: +54 (11) //4824.9971/
> /[hidden email] <mailto:[hidden email]>/
> www.identicum.com <http://www.identicum.com/>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Ana Pereyra
Thanks for replying. The openam version is 12. Here is the Rest call we are making:

0- Realm: test

1- Authenticate
Header: 
 - X-OpenAM-Username : plozana
 - X-OpenAM-Password: xxxxxx

Returns: 
{
  "tokenId": "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",
  "successUrl": "/openam/console"
}

2- Get user info
Header: iplanetDirectoryPro : {tokenId}
Returns:
{
  "code": 403,
  "reason": "Forbidden",
  "message": "Permission to perform the read operation denied to id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
}

Ana Pereyra
 Identicum S.A.
Anchorena 1357 PB, Argentina
Tel: +54 (11) 
4824.9971

2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr <[hidden email]>:
Which OpenAM version and which REST call is being used?

-Bernhard


Am 10/06/16 um 22:20 schrieb Ana Pereyra:
> Hi everybody. We have been working with custom realms and are stuck with
> a problem: when we use the default realm and create an user in the
> embedded DataStore, we authenticate successfully and recieve the
> expected token. We can retrieve information about the user. Besides, we
> have created a new realm and created users there. We authenticate
> successfully, recieve the token but when trying to retrieve the user's
> information we get the following error:
>
> {
>  "code": 403,
>  "reason": "Forbidden",
>  "message": "Permission to perform the read operation denied to
> cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
> }
>
> To sum up, when the user authenticates against the root realm, we are
> able to get the user information, but when we use another realm that is
> not the default one, we get an error. How do we configure the realm
> permissions so each user can read his own attributes? Thank you very much.
>
> *Ana Pereyra*
>  Identicum S.A.
> /Anchorena 1357 PB, Argentina
> Tel: +54 (11) //4824.9971/
> /[hidden email] <mailto:[hidden email]>/
> www.identicum.com <http://www.identicum.com/>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Bernhard Thalmayr
It seems you authenticated to the sub-realm 'test', but you want to read
the user identity from the default realm.

<a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity">https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity

-Bernhar

Am 13/06/16 um 17:20 schrieb Ana Pereyra:

> Thanks for replying. The openam version is 12. Here is the Rest call we
> are making:
>
> 0- Realm: test
>
> 1- Authenticate
> Endpoint: http://openam.example.com:8080/openam/json/authenticate?realm=/ <http://openam.example.com:8080/openam/json/authenticate?realm=/tuid>test
> Header:
>  - X-OpenAM-Username : plozana
>  - X-OpenAM-Password: xxxxxx
>
> Returns:
> /{/
> /  "tokenId":
> "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",/
> /  "successUrl": "/openam/console"/
> /}/
>
> 2- Get user info
> Endpoint: http://openam2.telecom.com:8080/openam/json/users/plozana
> Header: iplanetDirectoryPro : {tokenId}
> Returns:
> /{
> /
> /
>   "code": 403,
>   "reason": "Forbidden",
>   "message": "Permission to perform the read operation denied to
> id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
> }
> /
>
> *Ana Pereyra*
>  Identicum S.A.
> /Anchorena 1357 PB, Argentina
> Tel: +54 (11) //4824.9971/
> /[hidden email] <mailto:[hidden email]>/
> www.identicum.com <http://www.identicum.com/>
>
> 2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Which OpenAM version and which REST call is being used?
>
>     -Bernhard
>
>
>     Am 10/06/16 um 22:20 schrieb Ana Pereyra:
>     > Hi everybody. We have been working with custom realms and are stuck with
>     > a problem: when we use the default realm and create an user in the
>     > embedded DataStore, we authenticate successfully and recieve the
>     > expected token. We can retrieve information about the user. Besides, we
>     > have created a new realm and created users there. We authenticate
>     > successfully, recieve the token but when trying to retrieve the user's
>     > information we get the following error:
>     >
>     > {
>     >  "code": 403,
>     >  "reason": "Forbidden",
>     >  "message": "Permission to perform the read operation denied to
>     > cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
>     > }
>     >
>     > To sum up, when the user authenticates against the root realm, we are
>     > able to get the user information, but when we use another realm that is
>     > not the default one, we get an error. How do we configure the realm
>     > permissions so each user can read his own attributes? Thank you very much.
>     >
>     > *Ana Pereyra*
>     >  Identicum S.A.
>     > /Anchorena 1357 PB, Argentina
>     > Tel: +54 (11) //4824.9971/
>     > /[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>/
>     > www.identicum.com <http://www.identicum.com>
>     <http://www.identicum.com/>
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174
>     Mobile: +49 (0)176 55060699
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Ana Pereyra

If I try doing it this way, i get the following error:

http://openam2.example.com:8080/openam/json/users/plozana?realm=/test

Response:
{
  "code": 404,
  "reason": "Not Found",
  "message": "Resource cannot be found."
}

Am I doing it the wrong way? Thank you very much.

El jun. 13, 2016 2:59 PM, "Bernhard Thalmayr" <[hidden email]> escribió:
It seems you authenticated to the sub-realm 'test', but you want to read
the user identity from the default realm.

<a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity" rel="noreferrer" target="_blank">https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity

-Bernhar

Am 13/06/16 um 17:20 schrieb Ana Pereyra:
> Thanks for replying. The openam version is 12. Here is the Rest call we
> are making:
>
> 0- Realm: test
>
> 1- Authenticate
> Endpoint: http://openam.example.com:8080/openam/json/authenticate?realm=/ <http://openam.example.com:8080/openam/json/authenticate?realm=/tuid>test
> Header:
>  - X-OpenAM-Username : plozana
>  - X-OpenAM-Password: xxxxxx
>
> Returns:
> /{/
> /  "tokenId":
> "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",/
> /  "successUrl": "/openam/console"/
> /}/
>
> 2- Get user info
> Endpoint: http://openam2.telecom.com:8080/openam/json/users/plozana
> Header: iplanetDirectoryPro : {tokenId}
> Returns:
> /{
> /
> /
>   "code": 403,
>   "reason": "Forbidden",
>   "message": "Permission to perform the read operation denied to
> id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
> }
> /
>
> *Ana Pereyra*
>  Identicum S.A.
> /Anchorena 1357 PB, Argentina
> Tel: +54 (11) //4824.9971/
> /[hidden email] <mailto:[hidden email]>/
> www.identicum.com <http://www.identicum.com/>
>
> 2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Which OpenAM version and which REST call is being used?
>
>     -Bernhard
>
>
>     Am 10/06/16 um 22:20 schrieb Ana Pereyra:
>     > Hi everybody. We have been working with custom realms and are stuck with
>     > a problem: when we use the default realm and create an user in the
>     > embedded DataStore, we authenticate successfully and recieve the
>     > expected token. We can retrieve information about the user. Besides, we
>     > have created a new realm and created users there. We authenticate
>     > successfully, recieve the token but when trying to retrieve the user's
>     > information we get the following error:
>     >
>     > {
>     >  "code": 403,
>     >  "reason": "Forbidden",
>     >  "message": "Permission to perform the read operation denied to
>     > cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
>     > }
>     >
>     > To sum up, when the user authenticates against the root realm, we are
>     > able to get the user information, but when we use another realm that is
>     > not the default one, we get an error. How do we configure the realm
>     > permissions so each user can read his own attributes? Thank you very much.
>     >
>     > *Ana Pereyra*
>     >  Identicum S.A.
>     > /Anchorena 1357 PB, Argentina
>     > Tel: +54 (11) //4824.9971/
>     > /[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>/
>     > www.identicum.com <http://www.identicum.com>
>     <http://www.identicum.com/>
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174
>     Mobile: +49 (0)176 55060699
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Mike Woodburne

Hi Ana

 

Try it like this, including the subrealm in the URI:

http://openam2.example.com:8080/openam/json/test/users/plozana

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Ana Pereyra
Sent: Monday, June 13, 2016 2:29 PM
To: Bernhard Thalmayr <[hidden email]>
Cc: Users <[hidden email]>
Subject: Re: [OpenAM] Permission to perform the read operation denied with not embedded DataStore user

 

If I try doing it this way, i get the following error:

http://openam2.example.com:8080/openam/json/users/plozana?realm=/test

Response:
{
  "code": 404,
  "reason": "Not Found",
  "message": "Resource cannot be found."
}

Am I doing it the wrong way? Thank you very much.

El jun. 13, 2016 2:59 PM, "Bernhard Thalmayr" <[hidden email]> escribió:

It seems you authenticated to the sub-realm 'test', but you want to read
the user identity from the default realm.

<a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity" target="_blank">https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity

-Bernhar

Am 13/06/16 um 17:20 schrieb Ana Pereyra:
> Thanks for replying. The openam version is 12. Here is the Rest call we
> are making:
>
> 0- Realm: test
>
> 1- Authenticate
> Endpoint: http://openam.example.com:8080/openam/json/authenticate?realm=/ <http://openam.example.com:8080/openam/json/authenticate?realm=/tuid>test
> Header:
>  - X-OpenAM-Username : plozana
>  - X-OpenAM-Password: xxxxxx
>
> Returns:
> /{/
> /  "tokenId":
> "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",/
> /  "successUrl": "/openam/console"/
> /}/
>
> 2- Get user info
> Endpoint: http://openam2.telecom.com:8080/openam/json/users/plozana
> Header: iplanetDirectoryPro : {tokenId}
> Returns:
> /{
> /
> /
>   "code": 403,
>   "reason": "Forbidden",
>   "message": "Permission to perform the read operation denied to
> id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
> }
> /
>
> *Ana Pereyra*
>  Identicum S.A.
> /Anchorena 1357 PB, Argentina
> Tel: +54 (11) //4824.9971/
> /[hidden email] <mailto:[hidden email]>/
> www.identicum.com <http://www.identicum.com/>
>
> 2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Which OpenAM version and which REST call is being used?
>
>     -Bernhard
>
>
>     Am 10/06/16 um 22:20 schrieb Ana Pereyra:
>     > Hi everybody. We have been working with custom realms and are stuck with
>     > a problem: when we use the default realm and create an user in the
>     > embedded DataStore, we authenticate successfully and recieve the
>     > expected token. We can retrieve information about the user. Besides, we
>     > have created a new realm and created users there. We authenticate
>     > successfully, recieve the token but when trying to retrieve the user's
>     > information we get the following error:
>     >
>     > {
>     >  "code": 403,
>     >  "reason": "Forbidden",
>     >  "message": "Permission to perform the read operation denied to
>     > cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
>     > }
>     >
>     > To sum up, when the user authenticates against the root realm, we are
>     > able to get the user information, but when we use another realm that is
>     > not the default one, we get an error. How do we configure the realm
>     > permissions so each user can read his own attributes? Thank you very much.
>     >
>     > *Ana Pereyra*
>     >  Identicum S.A.
>     > /Anchorena 1357 PB, Argentina
>     > Tel: +54 (11) //4824.9971/
>     > /[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>/
>     > www.identicum.com <http://www.identicum.com>
>     <http://www.identicum.com/>
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174
>     Mobile: +49 (0)176 55060699
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Ana Pereyra

Thank you very much for answering so fast. I tried it like that but got the same error:

Endpoint: http://openam2.example.com:8080/openam/json/test/users/plozana

{
  "code": 404,
  "reason": "Not Found",
  "message": "Resource cannot be found."
}

Maybe a little more background helps:

1. Realm = /test

2. Organization / Administrator authentication : ldapService (datastore)

3. Datastore: Generic LDAPv3 (Novel eDirectory)

Do you need more information about the configuration? Thank you all.

El jun. 13, 2016 3:50 PM, "Mike Woodburne" <[hidden email]> escribió:

>

> Hi Ana
>
>  
>
> Try it like this, including the subrealm in the URI:
>
> http://openam2.example.com:8080/openam/json/test/users/plozana
>
>  
>
>  
>
> From:[hidden email] [mailto:[hidden email]] On Behalf Of Ana Pereyra
> Sent: Monday, June 13, 2016 2:29 PM
> To: Bernhard Thalmayr <[hidden email]>
> Cc: Users <[hidden email]>
> Subject: Re: [OpenAM] Permission to perform the read operation denied with not embedded DataStore user
>
>  
>
> If I try doing it this way, i get the following error:
>
> http://openam2.example.com:8080/openam/json/users/plozana?realm=/test
>
> Response:
> {
>   "code": 404,
>   "reason": "Not Found",
>   "message": "Resource cannot be found."
> }
>
> Am I doing it the wrong way? Thank you very much.
>
> El jun. 13, 2016 2:59 PM, "Bernhard Thalmayr" <[hidden email]> escribió:


>>
>> It seems you authenticated to the sub-realm 'test', but you want to read
>> the user identity from the default realm.
>>
>> https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity
>>
>> -Bernhar
>>
>> Am 13/06/16 um 17:20 schrieb Ana Pereyra:
>> > Thanks for replying. The openam version is 12. Here is the Rest call we
>> > are making:
>> >
>> > 0- Realm: test
>> >
>> > 1- Authenticate
>> > Endpoint: http://openam.example.com:8080/openam/json/authenticate?realm=/ <http://openam.example.com:8080/openam/json/authenticate?realm=/tuid>test
>> > Header:
>> >  - X-OpenAM-Username : plozana
>> >  - X-OpenAM-Password: xxxxxx
>> >
>> > Returns:
>> > /{/
>> > /  "tokenId":
>> > "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",/
>> > /  "successUrl": "/openam/console"/
>> > /}/
>> >
>> > 2- Get user info
>> > Endpoint: http://openam2.telecom.com:8080/openam/json/users/plozana
>> > Header: iplanetDirectoryPro : {tokenId}
>> > Returns:
>> > /{
>> > /
>> > /
>> >   "code": 403,
>> >   "reason": "Forbidden",
>> >   "message": "Permission to perform the read operation denied to
>> > id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
>> > }
>> > /
>> >
>> > *Ana Pereyra*
>> >  Identicum S.A.
>> > /Anchorena 1357 PB, Argentina
>> > Tel: +54 (11) //4824.9971/
>> > /[hidden email] <mailto:[hidden email]>/
>> > www.identicum.com <http://www.identicum.com/>
>> >
>> > 2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr
>> > <[hidden email]
>> > <mailto:[hidden email]>>:
>> >
>> >     Which OpenAM version and which REST call is being used?
>> >
>> >     -Bernhard
>> >
>> >
>> >     Am 10/06/16 um 22:20 schrieb Ana Pereyra:
>> >     > Hi everybody. We have been working with custom realms and are stuck with
>> >     > a problem: when we use the default realm and create an user in the
>> >     > embedded DataStore, we authenticate successfully and recieve the
>> >     > expected token. We can retrieve information about the user. Besides, we
>> >     > have created a new realm and created users there. We authenticate
>> >     > successfully, recieve the token but when trying to retrieve the user's
>> >     > information we get the following error:
>> >     >
>> >     > {
>> >     >  "code": 403,
>> >     >  "reason": "Forbidden",
>> >     >  "message": "Permission to perform the read operation denied to
>> >     > cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
>> >     > }
>> >     >
>> >     > To sum up, when the user authenticates against the root realm, we are
>> >     > able to get the user information, but when we use another realm that is
>> >     > not the default one, we get an error. How do we configure the realm
>> >     > permissions so each user can read his own attributes? Thank you very much.
>> >     >
>> >     > *Ana Pereyra*
>> >     >  Identicum S.A.
>> >     > /Anchorena 1357 PB, Argentina
>> >     > Tel: +54 (11) //4824.9971/
>> >     > /[hidden email] <mailto:[hidden email]>
>> >     <mailto:[hidden email] <mailto:[hidden email]>>/
>> >     > www.identicum.com <http://www.identicum.com>
>> >     <http://www.identicum.com/>
>> >     >
>> >     >
>> >     > _______________________________________________
>> >     > Visit the OpenAM forum at
>> >     https://forgerock.org/forum/fr-projects/openam/
>> >     > OpenAM mailing list
>> >     >[hidden email] <mailto:[hidden email]>
>> >     > https://lists.forgerock.org/mailman/listinfo/openam
>> >     >
>> >
>> >
>> >     --
>> >     Painstaking Minds
>> >     IT-Consulting Bernhard Thalmayr
>> >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> >     Tel: +49 (0)8062 7769174
>> >     Mobile: +49 (0)176 55060699
>> >
>> >     [hidden email]
>> >     <mailto:[hidden email]> - Solution Architect
>> >     http://www.xing.com/profile/Bernhard_Thalmayr
>> >     http://de.linkedin.com/in/bernhardthalmayr
>> >
>> >     This e-mail may contain confidential and/or privileged information.If
>> >     you are not the intended recipient (or have received this email in
>> >     error) please notify the sender immediately and delete this e-mail. Any
>> >     unauthorized copying, disclosure or distribution of the material in this
>> >     e-mail is strictly forbidden.
>> >     _______________________________________________
>> >     Visit the OpenAM forum at
>> >     https://forgerock.org/forum/fr-projects/openam/
>> >     OpenAM mailing list
>> >     [hidden email] <mailto:[hidden email]>
>> >     https://lists.forgerock.org/mailman/listinfo/openam
>> >
>> >
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
[hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any
>> unauthorized copying, disclosure or distribution of the material in this
>> e-mail is strictly forbidden.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
[hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Permission to perform the read operation denied with not embedded DataStore user

Bernhard Thalmayr
Am 13/06/16 um 21:22 schrieb Ana Pereyra:
> Thank you very much for answering so fast. I tried it like that but got
> the same error:

it's by far not the same error, you now have permissions to read the
identity, but OpenAM can not find it in the configured user data stores.

You may enable 'message' level debug logging and check IdRepo debug log
to see why OpenAM can not find the user identity (most likely a
configuration issue with the user data store).

-Bernhard

>
> Endpoint: http://openam2.example.com:8080/openam/json/
> <http://openam2.telecom.com:8080/openam/json/>*test*/users/plozana
>
> /{/
> /  "code": 404,/
> /  "reason": "Not Found",/
> /  "message": "Resource cannot be found."/
> /}/
>
> Maybe a little more background helps:
>
> 1. Realm = /test
>
> 2. Organization / Administrator authentication : ldapService (datastore)
>
> 3. Datastore: Generic LDAPv3 (Novel eDirectory)
>
> Do you need more information about the configuration? Thank you all.
>
> El jun. 13, 2016 3:50 PM, "Mike Woodburne" <[hidden email]
> <mailto:[hidden email]>> escribió:
>
>     >
>
>> Hi Ana
>>
>>  
>>
>> Try it like this, including the subrealm in the URI:
>> <http://openam2.example.com:8080/openam/json/test/users/plozana>
>> http://openam2.example.com:8080/openam/json/
> <http://openam2.example.com:8080/openam/json/test/users/plozana>*test
> <http://openam2.example.com:8080/openam/json/test/users/plozana>*/users/plozana
> <http://openam2.example.com:8080/openam/json/test/users/plozana>
>>
>>  
>>
>>  
> *>*
> *> From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]
> <mailto:[hidden email]>]*On Behalf Of* Ana Pereyra
> *> Sent:* Monday, June 13, 2016 2:29 PM
> *> To:* Bernhard Thalmayr <[hidden email]
> <mailto:[hidden email]>>
> *> Cc:* Users <[hidden email] <mailto:[hidden email]>>
> *> Subject:* Re: [OpenAM] Permission to perform the read operation
> denied with not embedded DataStore user
>>
>>  
>>
>> If I try doing it this way, i get the following error:
>> <http://openam2.example.com:8080/openam/json/users/plozana>
>> http://openam2.example.com:8080/openam/json/users/plozana
> <http://openam2.example.com:8080/openam/json/users/plozana>*?realm=/test*
>>
>> Response:
> /> {/
> />   "code": 404,/
> />   "reason": "Not Found",/
> />   "message": "Resource cannot be found."/
> /> }/
>>
>> Am I doing it the wrong way? Thank you very much.
>>
>> El jun. 13, 2016 2:59 PM, "Bernhard Thalmayr"
> <[hidden email]
> <mailto:[hidden email]>> escribió:
>
>
>>>
>>> It seems you authenticated to the sub-realm 'test', but you want to read
>>> the user identity from the default realm.
>>>
>>>
> <a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity">https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-read-identity
> <https://backstage.forgerock.com/#%21/docs/openam/12.0.0/dev-guide%23rest-api-read-identity>
>>>
>>> -Bernhar
>>>
>>> Am 13/06/16 um 17:20 schrieb Ana Pereyra:
>>> > Thanks for replying. The openam version is 12. Here is the Rest call we
>>> > are making:
>>> >
>>> > 0- Realm: test
>>> >
>>> > 1- Authenticate
>>> >
> Endpoint:http://openam.example.com:8080/openam/json/authenticate?realm=/
> <http://openam.example.com:8080/openam/json/authenticate?realm=/>
> <http://openam.example.com:8080/openam/json/authenticate?realm=/tuid>test
>>> > Header:
>>> >  - X-OpenAM-Username : plozana
>>> >  - X-OpenAM-Password: xxxxxx
>>> >
>>> > Returns:
>>> > /{/
>>> > /  "tokenId":
>>> >
> "AQIC5wM2LY4SfcyUxBWdvuSm3w0ky7MUH26VVDi8lbKmJGg.*AAJTSQACMDEAAlNLABM1NTU0MjY2ODY2OTI3OTU0MzEx*",/
>>> > /  "successUrl": "/openam/console"/
>>> > /}/
>>> >
>>> > 2- Get user info
>>> > Endpoint:http://openam2.telecom.com:8080/openam/json/users/plozana
> <http://openam2.telecom.com:8080/openam/json/users/plozana>
>>> > Header: iplanetDirectoryPro : {tokenId}
>>> > Returns:
>>> > /{
>>> > /
>>> > /
>>> >   "code": 403,
>>> >   "reason": "Forbidden",
>>> >   "message": "Permission to perform the read operation denied to
>>> > id=plozana,ou=user,o=test,ou=services,dc=openam,dc=forgerock,dc=org"
>>> > }
>>> > /
>>> >
>>> > *Ana Pereyra*
>>> >  Identicum S.A.
>>> > /Anchorena 1357 PB, Argentina
>>> > Tel: +54 (11) //4824.9971/
>>> > /[hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>/
>>> >www.identicum.com <http://www.identicum.com> <http://www.identicum.com/>
>>> >
>>> > 2016-06-13 3:51 GMT-03:00 Bernhard Thalmayr
>>> > <[hidden email]
> <mailto:[hidden email]>
>>> > <mailto:[hidden email]
> <mailto:[hidden email]>>>:
>>> >
>>> >     Which OpenAM version and which REST call is being used?
>>> >
>>> >     -Bernhard
>>> >
>>> >
>>> >     Am 10/06/16 um 22:20 schrieb Ana Pereyra:
>>> >     > Hi everybody. We have been working with custom realms and are
> stuck with
>>> >     > a problem: when we use the default realm and create an user
> in the
>>> >     > embedded DataStore, we authenticate successfully and recieve the
>>> >     > expected token. We can retrieve information about the user.
> Besides, we
>>> >     > have created a new realm and created users there. We authenticate
>>> >     > successfully, recieve the token but when trying to retrieve
> the user's
>>> >     > information we get the following error:
>>> >     >
>>> >     > {
>>> >     >  "code": 403,
>>> >     >  "reason": "Forbidden",
>>> >     >  "message": "Permission to perform the read operation denied to
>>> >     > cn=plozana,ou=Personas,ou=Usuarios,o=Telecom"
>>> >     > }
>>> >     >
>>> >     > To sum up, when the user authenticates against the root
> realm, we are
>>> >     > able to get the user information, but when we use another
> realm that is
>>> >     > not the default one, we get an error. How do we configure the
> realm
>>> >     > permissions so each user can read his own attributes? Thank
> you very much.
>>> >     >
>>> >     > *Ana Pereyra*
>>> >     >  Identicum S.A.
>>> >     > /Anchorena 1357 PB, Argentina
>>> >     > Tel: +54 (11) //4824.9971/
>>> >     > /[hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>
>>> >     <mailto:[hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>>/
>>> >     >www.identicum.com <http://www.identicum.com>
> <http://www.identicum.com>
>>> >     <http://www.identicum.com/>
>>> >     >
>>> >     >
>>> >     > _______________________________________________
>>> >     > Visit the OpenAM forum at
>>> >     https://forgerock.org/forum/fr-projects/openam/
>>> >     > OpenAM mailing list
>>> >     >[hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>
>>> >     >https://lists.forgerock.org/mailman/listinfo/openam
> <https://lists.forgerock.org/mailman/listinfo/openam>
>>> >     >
>>> >
>>> >
>>> >     --
>>> >     Painstaking Minds
>>> >     IT-Consulting Bernhard Thalmayr
>>> >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> >     Tel: +49 (0)8062 7769174
>>> >     Mobile: +49 (0)176 55060699
>>> >
>>> >     [hidden email]
> <mailto:[hidden email]>
>>> >     <mailto:[hidden email]
> <mailto:[hidden email]>> - Solution Architect
>>> >     http://www.xing.com/profile/Bernhard_Thalmayr
>>> >     http://de.linkedin.com/in/bernhardthalmayr
>>> >
>>> >     This e-mail may contain confidential and/or privileged
> information.If
>>> >     you are not the intended recipient (or have received this email in
>>> >     error) please notify the sender immediately and delete this
> e-mail. Any
>>> >     unauthorized copying, disclosure or distribution of the
> material in this
>>> >     e-mail is strictly forbidden.
>>> >     _______________________________________________
>>> >     Visit the OpenAM forum at
>>> >     https://forgerock.org/forum/fr-projects/openam/
>>> >     OpenAM mailing list
>>> >     [hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>
>>> >     https://lists.forgerock.org/mailman/listinfo/openam
>>> >
>>> >
>>>
>>>
>>> --
>>> Painstaking Minds
>>> IT-Consulting Bernhard Thalmayr
>>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> Tel: +49 (0)8062 7769174
>>> Mobile: +49 (0)176 55060699
>>>
>>> [hidden email]
> <mailto:[hidden email]> - Solution Architect
>>> http://www.xing.com/profile/Bernhard_Thalmayr
> <http://www.xing.com/profile/Bernhard_Thalmayr>
>>> http://de.linkedin.com/in/bernhardthalmayr
> <http://de.linkedin.com/in/bernhardthalmayr>
>>>
>>> This e-mail may contain confidential and/or privileged information.If
>>> you are not the intended recipient (or have received this email in
>>> error) please notify the sender immediately and delete this e-mail. Any
>>> unauthorized copying, disclosure or distribution of the material in this
>>> e-mail is strictly forbidden.
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum
> athttps://forgerock.org/forum/fr-projects/openam/
> <https://forgerock.org/forum/fr-projects/openam/>
>> OpenAM mailing list
>> [hidden email] <mailto:[hidden email]>
>> https://lists.forgerock.org/mailman/listinfo/openam
> <https://lists.forgerock.org/mailman/listinfo/openam>
>>
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...