Wednesday Apr 01, 2009
OpenSSO Special Users Are No Killing Joke
Yesterday, I installed the ssoadm command line interface and exported the configuration data from the OpenSSO embedded configuration data store. I wanted to do this so I could go through the data and find the OpenSSO special users that were created during a fresh installation of the product. Here are the users I found and some information about each.
- The OpenSSO administrative user (as we all know) is
amadmin(uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password foramadmin. To change the password after installation, use the OpenSSO console. Theamadminprofile is a Subject under the top-level realm. You cannot change the defaultamadminidentifier. amldapuser(cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema.amldapuserbinds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password foramldapuseris changeit. You can change the password by modifying the value of theAMLDAPUSERPASSWDproperty in theOpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.propertiesfile BEFORE running the OpenSSO configurator. To change theamldapuserpassword after configuration, useldapmodify(which is NOT supported). In the latter case, also modify the LDAP Authentication Service and Policy Configuration Service becauseamldapuseris the default user for these services. Make the changes in each realm in which these services are registered.- Proxy user (
cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console. UrlAccessAgent(as we all know) is the user that a web agent uses to login to OpenSSO but who isamService-UrlAccessAgent(cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net)? Well, both users are the same. When entered asUrlAccessAgenton the server side, the Authentication Service prepends to it the stringamService-. The Authentication Service then authenticates it is a special user with an entry in the data store. The password forUrlAccessAgentis defined during the OpenSSO configuration.CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=netis the default top level administrator for Sun Directory Server with read and write access to all entries in the embedded configuration data store. This user would be used to bind to the embedded configuration data store if the OpenSSO schema is not installed.CN=Administrator,CN=Users,dc=opensso,dc=java,dc=netis the default top level administrator for Microsoft Active Directory. This is similar tocn=Directory Managerfor Sun Directory Server.demois the user used to demonstrate the federation-related features of OpenSSO. By default, its password ischangeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.- The
testuser is used to execute some OpenSSO samples. These samples would create thetestuser andtestwill be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password fortestistest. dsameuser(cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).anonymousis the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to theanonymousprofile using the OpenSSO console.
Posted at 10:18AM Apr 01, 2009 by Michael Teger in Sun | Comments[0]
Comments: