Attempt to login as amAdmin to module LDAP denied due to internal users restriction

Introduction

This is a side effect of AM 7.1 patch 2 and seems only happen in legacy mode.

patch 2 :

126356-02 Sun Java System Access Manager 7.1 Solaris Readme

Version

observed on AM 7.1 patch 2 on Solaris 10.

Symptoms

The AM administrator cannot log in anymore ! The AM administrator cannot use the console anymore !

Error(s)

Returned to the console and found into the debug of Access Manager server side.

amAuth : WARNING: LoginState.isValidAuthForInternalUser():

Attempt to login as:amAdmin, to module:LDAP, at realm:dc=iam,dc=finbel,dc=intra, denied due to internal users restriction

Solution

2 ldapmodify to be executed into Directory Server(5.2 in our env).
module=DataStore has to be used to enter AM.

docs.sun.com

ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ds-rootdn
changetype: modify
add: sunRegisteredServiceName
sunRegisteredServiceName: sunAMAuthDataStoreService

ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ou=default,ou=

OrganizationConfig,ou=1.0,ou=sunAMAuthDataStoreService,ou=services, ds-rootdn
changetype: modify
add: sunkeyvalue
sunkeyvalue: sunAMAuthDataStoreAuthLevel=0

Notice that it was not to necessary to execute the second ldapmodify. It was already into Directory Server.

Restart AM.

Now the log in to AM as amadmin is done entering :
https://yourdomain/amserver/UI/Login?module=DataStore

References

some explanations on the authentication module "DataStore"

more here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3924
and here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3961

...Hope this helps...

-rudy-