OpenSSO Special Users Are No Killing Joke
By docteger on Apr 01, 2009
Yesterday, I installed the
ssoadmcommand line interface and exported the configuration data from the OpenSSO embedded configuration data store. I wanted to do this so I could go through the data and find the OpenSSO special users that were created during a fresh installation of the product. Here are the users I found and some information about each.
- The OpenSSO administrative user (as we all know) is
uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password for
amadmin. To change the password after installation, use the OpenSSO console. The
amadminprofile is a Subject under the top-level realm. You cannot change the default
cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema.
amldapuserbinds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password for
amldapuseris changeit. You can change the password by modifying the value of the
AMLDAPUSERPASSWDproperty in the
OpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.propertiesfile BEFORE running the OpenSSO configurator. To change the
amldapuserpassword after configuration, use
ldapmodify(which is NOT supported). In the latter case, also modify the LDAP Authentication Service and Policy Configuration Service because
amldapuseris the default user for these services. Make the changes in each realm in which these services are registered.
- Proxy user (
cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console.
UrlAccessAgent(as we all know) is the user that a web agent uses to login to OpenSSO but who is
cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net)? Well, both users are the same. When entered as
UrlAccessAgenton the server side, the Authentication Service prepends to it the string
amService-. The Authentication Service then authenticates it is a special user with an entry in the data store. The password for
UrlAccessAgentis defined during the OpenSSO configuration.
CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=netis the default top level administrator for Sun Directory Server with read and write access to all entries in the embedded configuration data store. This user would be used to bind to the embedded configuration data store if the OpenSSO schema is not installed.
CN=Administrator,CN=Users,dc=opensso,dc=java,dc=netis the default top level administrator for Microsoft Active Directory. This is similar to
cn=Directory Managerfor Sun Directory Server.
demois the user used to demonstrate the federation-related features of OpenSSO. By default, its password is
changeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.
testuser is used to execute some OpenSSO samples. These samples would create the
testwill be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password for
cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).
anonymousis the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to the
anonymousprofile using the OpenSSO console.