Known issues

This chapter contains a list known issues and their possible solutions.

Unable to change the account’s login in LDAP_CAS

During the change of the account’s login in CzechIdM, it is impossible to rename an account in the LDAP_CAS system. This behavior can be remedied by making the following configuration change.

  1. In the CzechIdM, open the detail of the LDAP_CAS system.

  2. In Schema, click the item __ACCOUNT__.

  3. Open the detail of the attribute uid.

  4. Uncheck the option Able to edit and save.

The CzechIdM service cannot be started

When using the container image bcv-czechidm:10.8.2-r1 or older, the following error can occur after 30/9/2021:

Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] Rebuilding CzechIdM...
Oct  5 12:28:06 localhost czechidm[28113]: sha256sum: node-v15.3.0-linux-x64.tar.gz: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] NodeJS 15.3.0 archive verification failed. Killing the rebuild...
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): node-v15.3.0-linux-x64.tar.gz: Cannot open: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): Error is not recoverable: exiting now
Oct  5 12:28:06 localhost czechidm[28113]: tar: Child returned status 2
Oct  5 12:28:06 localhost czechidm[28113]: tar: Error is not recoverable: exiting now

This is caused by certificate validation issue for Let’s Encrypt certificate authority whose original root certificate expired on 30/9/2021. To remedy the issue, use image version bcv-czechidm:10.8.2-r2 or higher. Container images for CzechIdM 11.x or higher are not affected by this issue.

  1. Edit the file /data/registry/node-active-config/docker-compose-czechidm.yml.

  2. Rewrite the value of the image setting to repo.iamappliance.com:8443/bcv-czechidm:10.8.2-r2 and save the file.

  3. Restart the CzechIdM service systemctl restart iam-czechidm.

The vulnerability of the Log4j library CVE-2021-44228

Some older container images of CzechIdM and CAS can be affected by this vulnerability. To mitigate it, you need to change parameters used to run containerized applications.

Add a new environment property JAVA_OPTS_ADD to the compose file like this:

...
    environment:
...
      - JAVA_OPTS_ADD="-Dlog4j2.formatMsgNoLookups=true"
..

Make the change in files /data/registry/node-active-config/docker-compose-cas.yml and /data/registry/node-active-config/docker-compose-czechidm.yml, then restart the iam-cas and iam-czechidm services.

Spring Framework vulnerability CVE-2022-22965 (Spring4Shell)

The images of the CzechIdM and CAS applications are affected by this vulnerability. To mitigate the error, it is necessary to update affected containers to following versions.

  • CzechIdM 10.x (LTS) - repo.iamappliance.com:8443/bcv-czechidm:10.8.5-r0 or any newer image of the 10.x line.

  • CzechIdM 11.x - repo.iamappliance.com:8443/bcv-czechidm:11.2.5-r0

    • Use this image only if you cannot upgrade your environment to the 12.x line image.

  • CzechIdM 12.x - repo.iamappliance.com:8443/bcv-czechidm:12.1.3-r0 or later.

  • CAS - repo.iamappliance.com:8443/bcv-cas:6.2.8.4-r1 or later.

Update the images by editing the image version (look for line starting with image:…​) in the files /data/registry/node-active-config/docker-compose-czechidm.yml and docker-compose-cas.yml (located in the same directory). Then, restart the iam-czechidm and iam-cas services.

Unable to install some EPEL packages

Only packages from EPEL/Modular can be installed. IAM appliance does not see any packages from EPEL/Everything repository. This manifests, for example, when installing LE certificate support:

[root@localhost ~]# dnf in iam-letsencrypt-support
Last metadata expiration check: 0:02:48 ago on Tue 19 Jul 2022 10:40:24 AM CEST.
Error:
 Problem: conflicting requests
  - nothing provides certbot >= 1.22 needed by iam-letsencrypt-support-0.1-0.el8.noarch
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

This is caused by a bug in IAM appliance repository definitions for CentOS 8 and for early Rocky 8 releases of iam-appliance-repos package.

  • First, update your iam-appliance-repos at least to version 0.5. This update completely resolves the issue. To perform the update, run:

    dnf update iam-appliance-repos

  • If you are on CentOS 8, such update is not available for you. Perform following steps to fix the issue.

    1. Edit the /etc/yum.repos.d/iam-centos8-epel.repo file.

    2. Find the repository URL line:

      baseurl=https://$iam_username:$iam_password@repo.iamappliance.com/repository/centos_8_epel_modular/

    3. Change it to:

      baseurl=https://$iam_username:$iam_password@repo.iamappliance.com/repository/centos_8_epel/

    4. Save the file.