Oracle® Identity Management User Reference 10g (10.1.4.2) Part Number E10531-01 |
|
|
View PDF |
This chapter describes the following command-line tools used to administer the Oracle Internet Directory database:
oidpasswd (Oracle Internet Directory Database Password Utility)
oidstats.sql (Oracle Internet Directory Database Statistics Collection Tool)
The Oracle Internet Directory Database Password Utility (oidpasswd
) is used to:
Change the password to the Oracle Internet Directory database.
Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password matches the value you specified during installation for the Oracle Application Server administrator's password. You can change this password by using the OID Database Password Utility.
Create wallets for the Oracle Internet Directory database password and the Oracle directory replication server password.
Unlock or reset the directory super user account, namely, cn=orcladmin
.
Reset an access control point (ACP) so that the subtree is accessible by the Oracle Internet Directory super user.
Manage the restricted super user ACL.
oidpasswd [connect=connect_string] [change_oiddb_pwd=true | create_wallet=true | unlock_su_acct=true| reset_su_password=true | manage_su_acl=true]
connect=connect_string
Optional. The directory database connect string. If you already have a tnsnames.ora
file configured, then this is the net service name specified in that file, which is located in $
ORACLE_HOME
/network/admin
. If not provided, defaults to the value of $ORACLE_SID
environment variable.
change_oiddb_pwd=true | unlock_su_acct=true | reset_su_password=true | manage_su_password=true
Required. The operation you want to perform. Depending on the operation you choose, the Oracle Internet Directory Database Password Utility will prompt you for additional information. The following choices are available:
change_oiddb_pwd=true
- Changes the password to the Oracle Internet Directory database. You will be prompted to provide the current database password, enter a new database password, and confirm the new password.
Note:
In an Oracle Real Application Clusters (RAC) environment, if you update the password on one Oracle RAC node, then you would need to update the wallet on the other Oracle RAC nodes. Refer to "About Changing the ODS Password on an Oracle RAC System" in the Oracle Application Server High Availability Guide for more information.create_wallet=true
- Create a wallet named oidpwdlldap1
for the Oracle Internet Directory database password, and a wallet, named oidpwdr
sid
, for the Oracle directory replication server password.
The sid
is obtained not from the environment variable SID
but from the connected database.
You need to provide the ODS password to authenticate yourself to the ODS database before the ODS wallet can be generated. Note that the default ODS password is the same as that for the Oracle Application Server administrator.
unlock_su_acct=true
- Unlocks a super user account that has been locked.
reset_su_password=true
- Resets the password for the Oracle Internet Directory super user account. You will be prompted to provide the Oracle Internet Directory database password, enter a new super user password, and confirm the new super user password.
manage_su_acl=true
- Manages the restricted super user ACL.
Using Oracle Internet Directory Database Password Utility, you can perform the following tasks:
The following example shows how to change the Oracle Internet Directory database password, assuming the database in on the same machine.
Example:
oidpasswd current password: oldpassword new password: newpassword confirm password: newpassword password set.
The Oracle Internet Directory Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password.
The utility assumes by default that the password being changed is that of the local database (as defined by ORACLE_HOME
and ORACLE_
SID
). If you are changing the password on a remote database, you must use the connect=
connect_string
option.
Note:
User responses are not echoed to the screen when you enter a password.
Whenever you change the password to the Oracle Internet Directory database by using the OID Database Password Utility, you should also run the oidemdpasswd
utility. This enables the Oracle Enterprise Manager Daemon (a component of Oracle Enterprise Manager) to properly cache that password and contact the ODS schema upon starting up. Once you have run the oidemdpasswd
utility, you can monitor Oracle Internet Directory processes from the Oracle Enterprise Manager.
The following example shows how to create wallets for the Oracle Internet Directory database password and the Directory Replication server password.
Example:
oidpasswd connect=dbs1 create_wallet=true
The argument create_wallet=true
is mandatory in this case. Except for the connect string, no other option can be specified.
The following example shows how to unlock the Oracle Internet Directory super user account, cn=orcladmin
.
Example:
oidpasswd connect=dbs1 unlock_su_acct=true
The argument unlock_su_acct
is mandatory. Except for connect string, no other option can be specified.
If you forget the Oracle Internet Directory super user password, you can use the oidpasswd
tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the super user password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory super user password using ldapmodify
. You can change the Oracle Internet Directory super user password using the oidpasswd
tool separately.
The following example shows how to reset the Oracle Internet Directory super user password. The oidpasswd
tool prompts you for the Oracle Internet Directory database password.
Example:
oidpasswd connect=dbs1 reset_su_password=true OID DB user password: oid_db_password password: new_su_password confirm password: new_su_password OID super user password reset successfully
When an access control point (ACP) is set with an access control item (ACI) that has the keyword DenyGroupOverride
, neither the Oracle Internet Directory super user nor members of DirectoryAdminGroup
can access the subtree under that ACP. If necessary, you can use the oidpasswd
tool to reset that ACP so that the subtree is accessible by the Oracle Internet Directory super user.
The following example shows how to reset a restricted ACP. The oidpasswd
utility prompts you to enter the Oracle Internet Directory database password and to choose which super user restricted ACPs to reset.
Example:
oidpasswd conn=dbs1 manage_su_acl=true OID DB user password: oid_db_password The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] resetall
Once you have reset some ACPs so that the super user can access them, you can use ldapmodify
to make the subtrees inaccessible to the super user again.
Use the Oracle Internet Directory Database Statistics Collection Tool (oidstats.sql
) to analyze the various database ods
(Oracle Directory Server) schema objects to estimate the statistics. It is located in the following directory: $
ORACLE_HOME
/ldap/admin/
. You must run this utility whenever there are significant changes in directory data—including the initial load of data into the directory.
If you load data into the directory by any means other than the bulk load tool (bulkload.sh
), then you must run the Oracle Internet Directory Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run Oracle Internet Directory Database Statistics Collection tool at any time, without shutting down any of the Oracle Internet Directory daemons.
Note:
If you do not use the bulkload utility to populate the directory, then you must run theoidstats.sql
tool to avoid significant search performance degradation.ods_password
Required. The ODS password to authenticate yourself to the ODS database. Note that the default ODS password is the same as that for the Oracle Application Server administrator.
connect_string
Required. The connect string for the ODS database. This is the network service name set in the tnsnames.ora
file.