I have an OpenAM instance with only the default realm configured. I have set up my Organization Auth Chain with a single LDAP module that allows my users to self register.
I also have set up another chain, called adminChain and set as the Administrator Auth Chain, with a single Data Store module in order to allow the amAdmin user to login using the /console url.
My problem is that this second chain allows also non-admin users from the LDAP data store to login, which actually makes sense because it's using the DataStore module. But then how can I prevent normal users logging in with the admin chain? I want them to be limited to a specific chain only.
You should use the root realm for administration and sub-realm for operations.
In fact OpenAM will use all configured user data stores in a realm when it's configured to support the requested operation.
As a workaround you could set the value of Authentication Naming Attribute in the user data store config to an attribute which does not exist in the entries. This will make 'datastore' authentication for regular users fail. AmAdmin can still authenticate because this identity is stored in a special data store which does not show up in OpenAM configuration.
Be aware that you may be subject of a bug, as in older versions the DN-Cache is leveraged during authentication.