Reputation: 407
openam rest api json/users/?_fields=ismemberof attribute does not show updated result
Using openam 12.0.0.0 Found One issue with openam with retrieving groups information of current login using api
"/json/users/username/?_fields=ismemberof"
scenario:
I had tried with this rest api by adding User attribute” ismemberof” from openam console.
after than I had retrieve groups information for current login user using restapi "/json/users/username/?_fields=ismemberof"
which return me this:
curl --header"iPlanetDirectoryPro:AQIC5wM2LY4SfczExeheltxgjSN7wrCR5XhfEGF5kj6t6C4.*AAJTSQACMDEAAlNLABQtMzQ0NzM3MDc3MzE1MjMwNjEwOQ..*" http://openam.server:8080/openam/json/users/indrani?_fields=ismemberof
output:
{"ismemberof":["cn=grp1,ou=groups,o=openam","cn=grp2,ou=groups,o=openam"]}
After some time I had remove my user from grp1 and save from openam console ie, now current user only have one group ie grp2
Again using curl command for getting list of groups for current user:
curl --header"iPlanetDirectoryPro:AQIC5wM2LY4SfczExeheltxgjSN7wrCR5XhfEGF5kj6t6C4.*AAJTSQACMDEAAlNLABQtMzQ0NzM3MDc3MzE1MjMwNjEwOQ..*" http://openam.server:8080/openam/json/users/indrani?_fields=ismemberof
output:
{"ismemberof":["cn=grp1,ou=groups,o=openam","cn=grp2,ou=groups,o=openam"]}
the issue is it gving same response with two groups, even Current user only have one group. ie it give old response
This issue is solve if I restart the openam server I will get expected result.
{"ismemberof":["cn=grp2,ou=groups,o=openam"]}
It should not take to restart openam server , to get original response.
When I connect to my LDAP data store using active directory studio, i can see values updated against the user for ismemberof which is an virtual attribute but when I hit curl response is old cached one only.
Upvotes: 1
Views: 2654
Answers (1)
Reputation: 2744
depending on the settings and data store used OpenAM caches attributes of user identities. The cache is kept in synch with the real LDAP server by either using persistent search - or notification change control (AD).
If your LDAP server does not support persistent search control or you did not allow notification change control the cache can not be dirtied hence OpenAM will return the outdated value for the identity attribute 'isMemberOf'
Upvotes: 0
Related Questions
- Success Factors REST API OData Entity User does not return inactive users
- Auth0: How to update user_metadata from rules?
- openAM token introspection always return active as false
- Can't update custom user meta through Wordpress REST API
- Authenticate to custom OpenAM 12 authentication plugin via REST
- OPENAM: How to add information to the "User Information" OAuth2 / OpenID Connect endpoint
- Apiman (RedHat) and OpenAM (forgerock)
- OpenID Connect - How to retrieve group membership (e.g. isMemberOf) with the userinfo endpoint?
- OpenIDM - AD Users REST API
- could not create a new user in openam after customize opendj attribute