Article Number
000029599
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Admin API
RSA Version/Condition: 8.x
Issue
When using the AddAMPrincipalCommand to add/register LDAP users and getting the wrong type class. Expecting IMSGUID but got DNGUID:
LookupAMPrincipalCommand failed: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.UnexpectedDataStoreException:
failed to lookup domain object of class:class com.rsa.authmgr.internal.admin.principalmgt.dal.AMPrincipal by
GUID:CN=userid,CN=Users,DC=org,DC=com
Caused by: org.springframework.orm.hibernate3.HibernateSystemException:
Provided id of the wrong type. Expected: class com.rsa.ims.common.IMSGUID, got class com.rsa.ims.common.DNGUID;
nested exception is org.hibernate.TypeMismatchException: Provided id of the wrong type.
Expected: class com.rsa.ims.common.IMSGUID, got class com.rsa.ims.common.DNGUID
Caused by: org.hibernate.TypeMismatchException: Provided id of the wrong type.
Expected: class com.rsa.ims.common.IMSGUID, got class com.rsa.ims.common.DNGUID
Cause
The LDAP users were added with AddAMPrincipalCommand, but that is for internal database users.
LDAP users need to be registered first with the RegisterPrincipalsCommand before they can be looked up with the LookupAMPrincipalCommand().
Resolution
Register the user first, then use AddAMPrincipalCommand, as shown in the sample below:
principal.setWindowsPassword("Password123!"); removed from this sample code, not needed.
Workaround
The solution is to register the user AND use AddAMPrincipalCommand. Here is some test code to demonstrate successful call to LookupAMPrincipalCommand:
...
PrincipalDTO user = lookupUser("Andele"); //unregistered LDAP user
System.out.println("unregistered GUID is " + user.getGuid());
register LDAP user
RegisterPrincipalsCommand register = new RegisterPrincipalsCommand();
register.setPrincipalGuids(new String [] {user.getGuid()});
register.execute();
//now should see ims GUID
user = lookupUser("Andele");
System.out.println("GUID after registering is " + user.getGuid());
//now create AMPrincipal object
AMPrincipalDTO principal = new AMPrincipalDTO();
principal.setGuid(user.getGuid());
principal.setBadPasscodes(3);
principal.setDefaultShell("/bin/sh");
principal.setDefaultUserIdShellAllowed(true);
//principal.setStaticPassword("12345678");
//principal.setStaticPasswordSet(true);
AddAMPrincipalCommand cmd = new AddAMPrincipalCommand(principal);
cmd.execute();
//must register and execute AddAMPrincipalCommand
LookupAMPrincipalCommand amp = new LookupAMPrincipalCommand();
amp.setGuid(user.getGuid());
amp.execute();Notes
Here is some test code to demonstrate successful call to LookupAMPrincipalCommand:
...
PrincipalDTO user = lookupUser("Andele"); //unregistered LDAP user
System.out.println("unregistered GUID is " + user.getGuid());
register LDAP user
RegisterPrincipalsCommand register = new RegisterPrincipalsCommand();
register.setPrincipalGuids(new String [] {user.getGuid()});
register.execute();
//now should see ims GUID
user = lookupUser("Andele");
System.out.println("GUID after registering is " + user.getGuid());
//now create AMPrincipal object
AMPrincipalDTO principal = new AMPrincipalDTO();
principal.setGuid(user.getGuid());
principal.setBadPasscodes(3);
principal.setDefaultShell("/bin/sh");
principal.setDefaultUserIdShellAllowed(true);
//principal.setStaticPassword("12345678");
//principal.setStaticPasswordSet(true);
AddAMPrincipalCommand cmd = new AddAMPrincipalCommand(principal);
cmd.execute();
//must register and execute AddAMPrincipalCommand
LookupAMPrincipalCommand amp = new LookupAMPrincipalCommand();
amp.setGuid(user.getGuid());
amp.execute();
