Administrative Users and Default Subjects

A number of administrative (and other) users are created as subjects during installation of OpenSSO Enterprise. The following sections contain information about each.

• amadmin

• amldapuser

• UrlAccessAgent

• Directory Manager

• Administrator

• demo

• test

• dsameuser

• puser

• anonymous

amadmin

The OpenSSO administrative user is amadmin (uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net in the embedded configuration data store). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password for amadmin. The amadmin profile is a Subject under the top-level realm. You cannot change the default amadmin identifier.

To Change the amadmin Password

1. Under the Access Control tab, click / (Top Level Realm).

2. Click the Subjects tab.

3. Click amadmin in the Users table.

4. Under the General tab, click the Password attribute's Edit link.

5. Type the old and new passwords as directed and click OK.

6. Click Save on the Edit User page.

amldapuser

amldapuser (cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net in the embedded configuration data store) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema. amldapuser binds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password for amldapuser is changeit. You can change the password by modifying the value of the AMLDAPUSERPASSWD property in the OpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.properties file BEFORE running the OpenSSO configurator. Changing the amldapuser password after configuration is not supported.

UrlAccessAgent

UrlAccessAgent is the user that a web agent uses to login to OpenSSO. The password for UrlAccessAgent is defined during OpenSSO configuration.

amService-UrlAccessAgent (cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net in the embedded configuration data store) is the same user as UrlAccessAgent. When entered as UrlAccessAgent on the server side, the Authentication Service prepends to it the string amService-. The Authentication Service then authenticates it is a special user with an entry in the data store.

Directory Manager

CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for the embedded configuration data store (OpenDS). Directory Manager has read and write access to all entries in the embedded configuration data store and would be used to bind to it if the OpenSSO schema is not installed.

Administrator

CN=Administrator,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Microsoft Active Directory. This is similar to Directory Manager.

demo

demo is the user used to demonstrate the federation-related features of OpenSSO. By default, its password is changeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.

test

test user is used to execute some OpenSSO samples. These samples would create the test user and test will be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password is test.

dsameuser

dsameuser (cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).

After installation, it is recommended that you change the password for dsameuser. Do not use the same password that was set for amadmin or amldapuser. To change the password, use the ampassword utility with the --admin (or -a) option. (This option does not change the amadmin password.) If OpenSSO is deployed on multiple host servers, change the password in the embedded configuration data store and the local serverconfig.xml file on the first server as documented using ampassword. For each additional server, encrypt the new password using ampassword with the --encrypt (or -e) option and swap the new encrypted password with the old in the serverconfig.xml file manually. Restart each OpenSSO web container after the modification.

puser

Proxy user (cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console.

anonymous

anonymous is the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to the anonymous profile using the OpenSSO console.