What to do when you accidentally delete the suffix "ou=am-config"?

The documentation from Delete and redeploy AM 's instructions in step 3 explicitly state:

"You should either install a new, clean instance of DS, or delete the entries under the configured AM suffix (by default ou=am-config) of an existing instance."

A potential error that customers might encounter involves accidentally deleting the suffix. This can happen either by inadvertent deletion or by executing a command that inadvertently removes the suffix.

For example

./ldapdelete --deleteSubtree --hostname localhost --port 1636 --useSsl --trustAll --bindDN "uid=admin" --bindPassword password "ou=am-config"

The solution is to recreate the suffix

Step 1.

Create this file : backup.ldif and modify the suffix dn dc=openam,dc=forgerock,dc=org to your preferred suffix

dn: dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: untypedObject
dc: openam
aci: (targetattr="*")(version 3.0; acl "Read and write application data"; allow (all)(userdn = "ldap:///uid=am-config,ou=admins,dc=openam,dc=forgerock,dc=org");)
aci: (targetattr="+")(version 3.0; acl "Read operational attributes"; allow (read, search, compare)(userdn = "ldap:///uid=am-config,ou=admins,dc=openam,dc=forgerock,dc=org");)
aci: (targetcontrol="PersistentSearch")(version 3.0; acl "Persistent searches"; allow (read)(userdn = "ldap:///uid=am-config,ou=admins,dc=openam,dc=forgerock,dc=org");)

Step 2

import the suffix into the configuration store again


./opendj7/bin/import-ldif \
 --hostname localhost \
 --port 4444 \
 --bindDn uid=admin \
 --bindPassword Netscape123 \
 --backendId cfgStore \
 --includeBranch dc=openam,dc=forgerock,dc=org \
 --ldifFile /work/backup.ldif \
 --usePkcs12TrustStore ./opendj7/config/keystore \
 --trustStorePassword:file ./opendj7/config/keystore.pin

Tested with AM 7.3.0

1 Like