Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4292

dsameuser authentication on /authservice differs at startup

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 11.0.0, 11.0.1
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:
    • Support Ticket IDs:

      Description

      The dsameuser is present in two notable locations:

      (1) Globally in the specialrepo, amongst amadmin, anonymous user etc.
      (2) Per server in the serverconfigxml block containing puser,dsameuser and directory manager user/password combinations.

      On startup OpenAM writes its bootstrap file, and it uses the local (2) credentials to write the dsameuser details.

      When you use ssoadm it reads these credentials from the bootstrap file and uses them to authenticate to /openam/authservice

      On a basic/fresh install of OpenAM (embedded config/user store). If you change the dsameuser password in (2), e.g:


      ./ssoadm set-identity-attrs -t user -e / -i dsameuser -u amadmin -f passwd -a userpassword=newdsameuserpasswd

      Reboot OpenAM and attempt to use ssoadm, it will still use the password in bootstrap. On the first authentication it will let ssoadm in with this password. On subsequent attempts it matches against the specialrepo user password (just changed) and fails.

      The solution is obviously to keep both local and global dsameuser passwords the same, however this behaviour is inconsistent. Also if OpenAM always used the local dsameuser password to authenticate authservice requests, the bootstrap would always 'work' with ssoadm.


      [forgerock@openam bin]$ ./ssoadm list-servers -u amadmin -f passwd
      
      http://openam.example.com:8080/openam
      [forgerock@openam bin]$ ./ssoadm list-servers -u amadmin -f passwd
      
      Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed
      com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction:  FATAL ERROR: Cannot obtain Application SSO token.
      Check AMConfig.properties for the following properties
      	com.sun.identity.agents.app.username
      	com.iplanet.am.service.password
      Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed
      com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction:  FATAL ERROR: Cannot obtain Application SSO token.
      Check AMConfig.properties for the following properties
      	com.sun.identity.agents.app.username
      	com.iplanet.am.service.password
      com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction:  FATAL ERROR: Cannot obtain Application SSO token.
      Check AMConfig.properties for the following properties
      	com.sun.identity.agents.app.username
      	com.iplanet.am.service.password
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ian.packer Ian Packer [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: