Friday, June 14, 2013

Changing the password of amAdmin - Part II

I posted this topic a while back. So I thought it was a fairly simple change.



But my friend Peter has another insight view which we should take note of. I copied shamelessly from his reply in OpenAM mailing list. 

Changing amadmin password is not straightforward at all, there are many things to be aware of: 
* amadmin password is used to set up replication with embedded DJ, i.e. the admin password for replication 
* it's also used as the password for the internal dsameuser 
* it's also the password for the embedded opendj's directory manager 
* it's also stored in the bootstrap file in encrypted format (well it's the dsameuser password, but dsameuser has the same password as amadmin..) and hell knows what else So basically even if you change the amadmin password, you can run into other problems, and as far as I remember ampassword changes the password for the dsameuser, not for amadmin... 

At the moment I think there is no clear process around handling all these different passwords or even managing them without breaking OpenAM a couple of times during the process. 

If you only want to change the password for amAdmin, then look for: ou=amAdmin,ou=users,ou=default,ou=GlobalConfig,ou=1.0,ou=sunIdentityRepositoryService,ou=services,ROOT_SUFFIX the user password, the password is generated like this: http://sources.forgerock.org/browse/openam/trunk/openam/openam-core/src/main/java/com/sun/identity/idm/plugins/internal/SpecialRepo.java?r=4170 

and I think the workaround in the ticket description (not the comment!) can work for you to generate the password in the correct format for the directory: 

https://bugster.forgerock.org/jira/browse/OPENAM-1224

.

No comments:

Post a Comment