Skip to main content

OpenAM creates OpenDJ accounts you don't know about

OpenAM 12.0.1 was recently released (for subscribers only), which fixes this issue. See Issue #201505-05.

TL;DR: If you configure OpenDJ using OpenAM configurator (both on the web or configurator tool), or if you ask OpenAM to load the LDAP schema via Data Sources page on Web UI after installation, your OpenDJ installation will get provisioned with two users: cn=openssouser and cn=ldapuser with default hardcoded passwords.

You can find these entries in OpenAM-X.war/WEB-INF/template/ldif/opendj/opendj_userinit.ldif:

dn: cn=openssouser,ou=opensso adminusers,@userStoreRootSuffix@
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: openssouser
sn: openssouser
userPassword: @OPENSSO_USER_PASSWD@

dn: cn=ldapuser,ou=opensso adminusers,@userStoreRootSuffix@
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: ldapuser
sn: ldapuser
userPassword: @LDAP_USER_PASSWD@

While ldapuser has limited access, cn=openssouser has the following ACI:

dn:@userStoreRootSuffix@
changetype:modify
add:aci
aci: (target="ldap:///@userStoreRootSuffix@")(targetattr="*")(version 3.0; acl
"OpenSSO datastore configuration bind  user all rights under the root suffix";
allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,@userStoreRootSuffix@"; )

Which means that it can do whatever it wants (except with its own entry, there are additional ACIs later in that file).

If this does not make you nervous yet, look at the userPassword values. Yes, you are right. The default password for cn=openssouser is @OPENSSO_USER_PASSWD@. The default password for cn=ldapuser is @LDAP_USER_PASSSWD@.

This is vaguely described in OPENAM-1036, but it does not give much attention to the problem of exposed passwords. The templating mechanism does not change the values of these fields, so they are kept as is.

These users are left there from Sun OpenSSO configuration and ideally, they should not have migrated to OpenAM, since even OpenAM documentation hints on using cn=openam,ou=admins,$basedn in Preparing an Identity Repository.

cn=openssouser was meant to be the user for OpenSSO to bind as, instead of cn=Directory Manager, as described in Using OpenDS as user store for OpenSSO. The reasoning behind cn=ldapuser is not clear to me ("This user will have read access to the users entries, this will be used in the policy configuration and LDAP authentication configuration")

Quick Fix

You can see whether anybody was able to bind as these users by browsing the access logs of OpenDJ.

Disable these users if you know you are not using them. Go to OpenDJ machine, navigate to bin directory in OpenDJ installation and run:

./manage-account -h localhost -p 4444 -D "cn=directory manager" \
                 -w $directory_manager_password -X \
                 set-account-is-disabled --operationValue true \
                 --targetDN "cn=openssouser,ou=opensso adminusers,$basedn"

./manage-account -h localhost -p 4444 -D "cn=directory manager" \
                 -w $directory_manager_password -X \
                 set-account-is-disabled --operationValue true \
                 --targetDN "cn=ldapuser,ou=opensso adminusers,$basedn"

Deleting these users will help, but only until you re-upload LDAP schema at which point they will be re-created.

Long Term Fix

Remove/disable these users and then upgrade to OpenAM 12.0.1 so that they don't suddenly appear. If you can't, edit OpenAM-X.war/WEB-INF/template/ldif/opendj/opendj_userinit.ldif.