OpenSSO Special Users Are No Killing Joke

Yesterday, I installed the ssoadm command line interface and exported the configuration data from the OpenSSO embedded configuration data store. I wanted to do this so I could go through the data and find the OpenSSO special users that were created during a fresh installation of the product. Here are the users I found and some information about each.
  • The OpenSSO administrative user (as we all know) is amadmin (uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password for amadmin. To change the password after installation, use the OpenSSO console. The amadmin profile is a Subject under the top-level realm. You cannot change the default amadmin identifier.
  • amldapuser (cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema. amldapuser binds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password for amldapuser is changeit. You can change the password by modifying the value of the AMLDAPUSERPASSWD property in the OpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.properties file BEFORE running the OpenSSO configurator. To change the amldapuser password after configuration, use ldapmodify (which is NOT supported). In the latter case, also modify the LDAP Authentication Service and Policy Configuration Service because amldapuser is the default user for these services. Make the changes in each realm in which these services are registered.
  • Proxy user (cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console.
  • UrlAccessAgent (as we all know) is the user that a web agent uses to login to OpenSSO but who is amService-UrlAccessAgent (cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net)? Well, both users are the same. When entered as UrlAccessAgent on the server side, the Authentication Service prepends to it the string amService-. The Authentication Service then authenticates it is a special user with an entry in the data store. The password for UrlAccessAgent is defined during the OpenSSO configuration.
  • CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Sun Directory Server with read and write access to all entries in the embedded configuration data store. This user would be used to bind to the embedded configuration data store if the OpenSSO schema is not installed.
  • CN=Administrator,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Microsoft Active Directory. This is similar to cn=Directory Manager for Sun Directory Server.
  • demo is the user used to demonstrate the federation-related features of OpenSSO. By default, its password is changeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.
  • The test user is used to execute some OpenSSO samples. These samples would create the test user and test will be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password for test is test.
  • dsameuser (cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).
  • anonymous is the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to the anonymous profile using the OpenSSO console.
Now, here's something for April Fools Day: Killing Joke and their song Change. Change was not on the original 1980 UK release of their debut album (eponymously titled Killing Joke) but it was on the original 1980 US release. I remember specifically buying the US release of this LP at a time when all I was buying were imports. Good times.

Comments:

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today