OpenAM is as much powerful as complicated sometimes. In this case I spent a lot of time understanding how to set simple settings because of that I decide to take note about that in this blog entry.
First of all don’t forget to set the environment variables and go to ssoadm path:
export JAVA_HOME="/usr/lib/jvm/java-6-openjdk-amd64/jre" export CLASSPATH="/var/lib/tomcat7/webapps/openam/WEB-INF/lib/policy-plugins.jar::/var/lib/tomcat7/webapps/openam/WEB-INF/lib/openam-core-11.0.0.jar"
cd /opt/openam/ssoadmin/openam/bin
Getting the list of user identities:
./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t User -x "*"anonymous (id=anonymous,ou=user,dc=openam)
demo (id=demo,ou=user,dc=openam)
serviceusername (id=serviceusername,ou=user,dc=openam)
amAdmin (id=amAdmin,ou=user,dc=openam)
Search of Identities of type User in realm, / succeeded.
another useful query would be:
./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t Role -x "*"No plug-ins configured for this operation
But as you can see it doesn’t work and I don’t know how to solve it.
Taking a look to GUI get to identities list with: Access Control > / (Top Level Realm) > Privileges
In this webpage you have a list of role identities, in my case I have only this: “All Authenticated Users”. Inside this identity I can set different privileges:
- REST calls for Policy Evaluation (EntitlementRestAccess)
- Read and write access to all log files (LogAdmin)
- REST calls for searching entitlements (PrivilegeRestReadAccess)
- Read access to all log files (LogRead)
- Read and write access to all federation metadata configurations (FederationAdmin)
- Read and write access only for policy properties (PolicyAdmin)
- Read and write access to all configured Agents (AgentAdmin)
- Read and write access to all realm and policy properties (RealmAdmin)
- REST calls for managing entitlements (PrivilegeRestAccess)
- Write access to all log files (LogWrite)
If we want to remove a privilege:
root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm remove-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role Privileges were removed from identity, All Authenticated Users of type, role in realm, /.
or adding a privilege:
root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm add-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role
Talking about policies, exporting:
./ssoadm list-policies -u amadmin -f /tmp/oam.pwd -e / -o /tmp/policies.xml
and if we want to import the policies:
./ssoadm create-policies -u amAdmin -f /tmp/oam.pwd -e / --xmlfile /tmp/policies.xml
creating a user:
./ssoadm create-identity -u amadmin -f /tmp/oam.pwd -e / -i serviceusername -t User --attributevalues "userpassword=servicepassword"
Useful references: