Known issues

This chapter contains a list known issues and their possible solutions.

Non-public issues

Some known issues may not be made public. In such cases, they can be found in separate git branches in the source repository. If such branches were approved but not yet made public, they have a merge request assigned to them.

Unable to change the account’s login in LDAP_CAS

During the change of the account’s login in CzechIdM, it is impossible to rename an account in the LDAP_CAS system. This behavior can be remedied by making the following configuration change.

  1. In the CzechIdM, open the detail of the LDAP_CAS system.

  2. In Schema, click the item __ACCOUNT__.

  3. Open the detail of the attribute uid.

  4. Uncheck the option Able to edit and save.

The CzechIdM service cannot be started

When using the container image bcv-czechidm:10.8.2-r1 or older, the following error can occur after 30/9/2021:

Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] Rebuilding CzechIdM...
Oct  5 12:28:06 localhost czechidm[28113]: sha256sum: node-v15.3.0-linux-x64.tar.gz: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] NodeJS 15.3.0 archive verification failed. Killing the rebuild...
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): node-v15.3.0-linux-x64.tar.gz: Cannot open: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): Error is not recoverable: exiting now
Oct  5 12:28:06 localhost czechidm[28113]: tar: Child returned status 2
Oct  5 12:28:06 localhost czechidm[28113]: tar: Error is not recoverable: exiting now

This is caused by certificate validation issue for Let’s Encrypt certificate authority whose original root certificate expired on 30/9/2021. To remedy the issue, use image version bcv-czechidm:10.8.2-r2 or higher. Container images for CzechIdM 11.x or higher are not affected by this issue.

  1. Edit the file /data/registry/node-active-config/docker-compose-czechidm.yml.

  2. Rewrite the value of the image setting to repo.iamappliance.com:8443/bcv-czechidm:10.8.2-r2 and save the file.

  3. Restart the CzechIdM service systemctl restart iam-czechidm.

The vulnerability of the Log4j library CVE-2021-44228

Some older container images of CzechIdM and CAS can be affected by this vulnerability. To mitigate it, you need to change parameters used to run containerized applications.

Add a new environment property JAVA_OPTS_ADD to the compose file like this:

...
    environment:
...
      - JAVA_OPTS_ADD=-Dlog4j2.formatMsgNoLookups=true
..

Make the change in files /data/registry/node-active-config/docker-compose-cas.yml and /data/registry/node-active-config/docker-compose-czechidm.yml, then restart the iam-cas and iam-czechidm services.

Spring Framework vulnerability CVE-2022-22965 (Spring4Shell)

The images of the CzechIdM and CAS applications are affected by this vulnerability. To mitigate the error, it is necessary to update affected containers to following versions.

  • CzechIdM 10.x (LTS) - repo.iamappliance.com:8443/bcv-czechidm:10.8.5-r0 or any newer image of the 10.x line.

  • CzechIdM 11.x - repo.iamappliance.com:8443/bcv-czechidm:11.2.5-r0

    • Use this image only if you cannot upgrade your environment to the 12.x line image.

  • CzechIdM 12.x - repo.iamappliance.com:8443/bcv-czechidm:12.1.3-r0 or later.

  • CAS - repo.iamappliance.com:8443/bcv-cas:6.2.8.4-r1 or later.

Update the images by editing the image version (look for line starting with image:…​) in the files /data/registry/node-active-config/docker-compose-czechidm.yml and docker-compose-cas.yml (located in the same directory). Then, restart the iam-czechidm and iam-cas services.

Unable to install some EPEL packages

Only packages from EPEL/Modular can be installed. IAM appliance does not see any packages from EPEL/Everything repository. This manifests, for example, when installing LE certificate support:

[root@localhost ~]# dnf in iam-letsencrypt-support
Last metadata expiration check: 0:02:48 ago on Tue 19 Jul 2022 10:40:24 AM CEST.
Error:
 Problem: conflicting requests
  - nothing provides certbot >= 1.22 needed by iam-letsencrypt-support-0.1-0.el8.noarch
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

This is caused by a bug in IAM appliance repository definitions for CentOS 8 and for early Rocky 8 releases of iam-appliance-repos package.

  • First, update your iam-appliance-repos at least to version 0.5. This update completely resolves the issue. To perform the update, run:

    dnf update iam-appliance-repos

  • If you are on CentOS 8, such update is not available for you. Perform following steps to fix the issue.

    1. Edit the /etc/yum.repos.d/iam-centos8-epel.repo file.

    2. Find the repository URL line:

      baseurl=https://$iam_username:$iam_password@repo.iamappliance.com/repository/centos_8_epel_modular/

    3. Change it to:

      baseurl=https://$iam_username:$iam_password@repo.iamappliance.com/repository/centos_8_epel/

    4. Save the file.

Slow or locking-up SQL queries in IdM database

We discovered that, in some environments, there may be quite big slowdown in sql queries on the PostgreSQL level. In some cases, disabling SQL JIT mitigated the issue.

  1. Edit the /data/registry/node-active-config/docker-compose-czechidm-db.yml and add the following line to the PostgreSQL startup parameters:

    - '-cjit=off'

  2. Restart the database service (this also restarts IdM) by invoking: systemctl restart iam-czechidm-db.