Change Amadmin Password

Someone might want to change the password of the super user amadmin on Access Manager (AM) 7.0 or 7.1 for various reasons. Be careful. It is tricky. If you try to change it directly on Directory Server (DS) by modifying the userpassword attribute, you would find that you can not login as amadmin any more.

Amadmin is not an ordinary user, but one of the predefined AM special users. Unlike AM 6.x, 7.x stores special users' password in two places, one is the under the user entry (uid=amadmin,ou=people,dc=com, suppose dc=com is the root_suffix) as userpassword attribute, another copy is under ou=amadmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,dc=com as sunkeyvalue, like userPassword=_encrypted_and_hashed_password_

Currently there is no option of cli tool ampassword to generate this encrypted and hashed password. I added an option --hashencrypt or -c as the fix of bug 6850818 (will be part of 7.1patch4). Then you can directly change this sunkeyvalue in DS by using ldapmodify or other DS tools.

Though there is a solution if you run into this trouble, I would recommend to change password by only using AM console. It is simple and hassle free. I normally create a new user and grant the power amadmin has to it. In case any unexpected happens, I have a backup.

Comments:

Actually you can not change amadmin password on the current AM7.1 or OpenSSO 8.0 console currently. There is a solution I added in http://blogs.sun.com/gc/entry/reset_amadmin_password

Posted by gc on September 15, 2009 at 12:17 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

gc

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today