[OpenAM] OpenAM

[Jason Collins]

Hello,
 
We are moving from a POC build of openam to a test build.  In that, we are building with security in mind.  In all of the documentation on forgerock it appears that openam is binding to opendj as Directory Manager in a remote configuration store setup.  I was intending to place openam's config store in it's own suffix with an administrative account that will only have the privileges openam needs.  So my question is, what are the privileges openam needs to interact with it's config store?  
 
Thanks,
 
Jason Collins
 

The complete list of privileges supported in OpenDJ 2.4 is below:
backend-restore: Ability to perform backend restore operations.
bypass-acl: Ability to bypass access control evaluation.
bypass-lockdown:Ability to bypass server lockdown mode.
cancel-request: Ability to cancel arbitrary client requests.
config-read: Ability to read the server configuration.
config-write: Ability to update the server configuration.
data-sync: Ability to participate in a data synchronization environment.
disconnect-client: Ability to terminate arbitrary client connections.
jmx-notify: Ability to subscribe to JMX notifications.
jmx-read: Ability to perform read operations via JMX.
jmx-write: Ability to perform write operations via JMX.
ldif-export: Ability to perform LDIF export operations.
ldif-import: Ability to perform LDIF import operations.
modify-acl: Ability to modify access control rules.
password-reset: Ability to reset user passwords.
privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
server-lockdown: Ability to lockdown a server.
server-restart: Ability to request a server restart.
server-shutdown: Ability to request a server shutdown.
subentry-write: Ability to perform write operations on LDAP subentries.
unindexed-search: Ability to perform an unindexed search
update-schema: Ability to update the server schema.


CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openam/attachments/20111130/a4ab6476/attachment.html