Thursday, June 27, 2013

Changing Bind DN/Password in Directory Configuration

I blogged twice on how to port the embedded OpenDJ in OpenAM to an external OpenDJ. Meanwhile, I also discovered something weird when changing the Bind DN/Password in Directory Configuration.

Let's say you ignore the porting of the embedded OpenDJ to an external one. Let's only assume you want to only change the Bind DN and Password of the default "cn=Directory Manager" for security reason.

Ludo has a good article on how to create Multiple Directory Administrators. Of course, you can create a more restrictive proxy administrator for OpenAM. 

Now, if you are on OpenAM 10.0.1, then no problem. You simply change the default "cn=Directory Manager" and its corresponding password to one which you have newly created.

A restart of OpenAM will modify the bootstrap file to reflect the new Bind DN. (Of course, I still do not know when OpenAM will auto-magically modify the bootstrap file as-and-when changes are made via the OpenAM console; and when it will require a restart in order for the bootstrap file to be modified)

And now, we are done! That's OpenAM 10.0.1.

However, if you are on OpenAM 10.0.0, then no luck. Sorry. No matter how you change the Bind DN/Password via the OpenAM console, a restart of OpenAM will flush away the entries and replaced with the original ones. The bootstrap file is also not modified with the new pair of Bind DN/Password.

Why? I spent some time trying to figure out. In the end, I found out that the problem was with the LDAP update when entries are modified on OpenAM console.

I opened OpenDJ control panel and observed ou=com-sun-identity-servers, ou=default, ou=GlobalConfig, ou=1.0, ou=iPlanetAMPlatformService, ou=Services, ....

When I was modifying the entries in OpenAM 10.0.1, I did managed to see that the DirDN was changed from "cn=Directory Manager" to "cn=Admin2, dc=cdemo, dc=sg" when I clicked SAVE on OpenAM console.



The same was not happening when I did the experiment on OpenAM 10.0.0. Do you have a clue? I dun.


No comments:

Post a Comment