12 Managing Accounts and Passwords in Oracle Internet Directory

You can manage Oracle Internet Directory accounts and passwords using command-line tools, Self-Service Console, Oracle Directory Services Manager, and Oracle Enterprise Manager Fusion Middleware Control and also you can manage passwords for a superuser account, the EMD administrator, and the Oracle Internet Directory database.

The following topics describe managing accounts and passwords in Oracle Internet Directory:

• Introduction to Managing Accounts and Passwords

• Managing Accounts and Passwords by Using Command-Line Tools

• Managing Accounts and Passwords by Using the Self-Service Console

• Unlocking Locked Accounts by Using Oracle Directory Services Manager

• Changing the Superuser Password by Using Fusion Middleware Control

• Creating Another Account With Superuser Privileges

• Managing the Superuser Password by Using ldapmodify

• Changing the Oracle Internet Directory Database Password

• Resetting the Superuser Password

• Changing the Password for the EMD Administrator Account

• Changing the Password for the ODSSM Administrator Account

• Updating the New ODSSM Password for Data Source

12.1 Introduction to Managing Accounts and Passwords

Using command-line tools or the Self-Service console, you can perform administrative tasks related to account and passwords.

See Also:

• Managing Directory Entries in Oracle Internet Directory

• Managing Password Policies

Note:

To manage users using Self-Service console in Oracle Identity Manager, See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager in 12c Release 2 (12.2.1.3.0).

Using command-line tools or the Self-Service console, you can temporarily disable a user's account, then enable it again. If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.

Using command-line tools, you can force users to change their passwords when they log in for the first time.

If you forget your password or become locked out of your account, then you can reset your password. You do this by using the Self-Service Console. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.

The Superuser is a special directory administrator with full access to directory information. The default user name of the superuser is orcladmin. The password is set by the administrator during installation.

Note:

Oracle recommends that you change the password immediately after installation.

You can use either Oracle Enterprise Manager or ldapmodify to administer the Superuserpassword.

See Also:

Managing Directory Access Control for information on how to set access rights

Another privileged account is the administrator, "cn=emd admin,cn=oracle internet directory". This account is used for starting and stopping Oracle Internet Directory server manageability information collection. It is also used by Oracle Enterprise Manager Fusion Middleware Control to make configuration changes to Oracle Internet Directory. These changes are made over a secure connection.

The only way you can change this account's password is to use the procedure documented in Changing the Password for the EMD Administrator Account. There is no support in the oidpasswd tool for changing this password.

12.2 Managing Accounts and Passwords by Using Command-Line Tools

You can perform admin operations on user accounts by using command-line tools.

This section contains these topics:

• Enabling and Disabling Accounts by Using Command-Line Tools

• Unlocking Accounts by Using Command-Line Tools

• Forcing a Password Change by Using Command-Line Tools

12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools

You can temporarily disable a user's account, then enable it again, by using command-line tools.

To permanently disable the account, set the orclisenabled attribute to DISABLED. Setting this attribute to any other value enables the account.

To enable the account after you have disabled it, delete this attribute from the entry.

To enable the account for a specific period, set the orclActiveStartDate and orclActiveEndDate attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example, you could use a command line such as:

ldapmodify -p port -h host -D cn=orcladmin -q -v -f my.ldif

where my.ldif contains:

dn:cn=John Doe,cn=users,o=my_company,dc=com
orclactivestartdate:20030101000000z
orclactiveenddate: 20031231000000z

In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login before January 1, 2003 or after December 31, 2003. If you want to disable his account for the period between these dates, then set the orclisenabled attribute to DISABLED.

12.2.2 Unlocking Accounts by Using Command-Line Tools

If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.

To unlock an account, set the orclpwdaccountunlock attribute to 1.

The following example unlocks the account for user John Doe.

ldapmodify -p port -h host -D cn=orcladmin -q -v -f file.ldif

where file.ldif contains:

dn: cn=John Doe,cn=users,o=my_company,dc=com
changetype: modify
add: orclpwdaccountunlock
orclpwdaccountunlock: 1

12.2.3 Forcing a Password Change by Using Command-Line Tools

You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange attribute in the pwdpolicy entry to 1, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can log in to change that password.

See Also:

• Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console for instructions on resetting passwords

• Setting Password Policies by Using Command-Line Tools for instructions on setting attributes of a password policy

12.3 Managing Accounts and Passwords by Using the Self-Service Console

For administrators, Oracle Directory Services Manager is the primary tool for managing users and passwords.

You can also use Oracle Identity Manager to centralize user and account provisioning to Oracle Internet Directory . For end user self-service, Oracle Identity Manager is the recommended solution. The Oracle Identity Manager documentation is available on Oracle Technology Network.

This section contains these topics:

• Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console

• Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console

• Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console

12.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console

You can temporarily disable a user's account, then enable it again, by using the Oracle Internet Directory Self-Service Console.

See Also:

Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager in 12c Release 2 (12.2.1.3.0).

12.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console

If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.

See Also:

The section on Unlocking a User Account in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager in 12c Release 2 (12.2.1.3.0).

12.3.3 Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console

If you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.

See Also:

To reset your password using Self-Service console in Oracle Identity Manager, See See Resetting the User Password in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager in 12c Release 2 (12.2.1.3.0).

12.4 Unlocking Locked Accounts by Using Oracle Directory Services Manager

Locked accounts can be listed by using Oracle Directory Services Manager by using the search string pwdaccountlockedtime.

To list and unlock locked accounts using Oracle Directory Services Manager:

1. Invoke Oracle Directory Services Manager as described in Invoking Oracle Directory Services Manager.
2. From the task selection bar, select Data Browser.
3. Perform a simple search, as described in Searching for Entries by Using Oracle Directory Services Manager, using the search string (pwdaccountlockedtime=*). A list of entries with locked accounts appears.
4. Select the entry whose account you want to unlock.
5. When an account is locked, Unlock Account appears before the Apply and Revert buttons. Click Unlock Account.

12.5 Changing the Superuser Password by Using Fusion Middleware Control

The configuration attribute orclsupassword is an attribute of the DSE root.You can change the super user password which is assigned before.

To change the password for the superuser by using Oracle Enterprise Manager Fusion Middleware Control:

1. Select Administration, then Shared Properties from the Oracle Internet Directory menu.
2. Click the Change Superuser Password tab.
3. Specify the old password.
4. Specify the new password.
5. Confirm the new password.
6. Click Apply.

12.6 Creating Another Account With Superuser Privileges

The Superuser, cn=orcladmin, gets its privileges from membership in several privileged groups.

You can query for those groups by using the following ldapsearch command:

ldapsearch -h host -p port -D "cn=orcladmin" -q -b "" -L \
-s sub "(|(uniquemember=cn=orcladmin)(member=cn=orcladmin))" dn
 

To create a second account with Superuser privilege, create another user entry that belongs to the same groups. Also add the user as member of the group cn=directoryadmingroup,cn=oracle internet directory.

Note:

To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.

After you have created additional users with Superuser privileges, you no longer need to use cn=orcladmin to administer Oracle Internet Directory. The privileged accounts should be sufficient. The attribute orclsuname, however, must have the value cn=orcladmin.

See Also:

Managing Directory Entries in Oracle Internet Directory to learn how to create a user entry and Managing Dynamic and Static Groups in Oracle Internet Directory to learn how to add a user to a group.

Note:

To maintain system security, keep the number of privileged users to a minimum and ensure that all privileged accounts are audited. See Managing Auditing.

12.7 Managing the Superuser Password by Using ldapmodify

You should never change the Superuser's name. The value of orclsuname must remain cn=orcladmin.

To set or modify the password for the superuser, use ldapmodify to modify the attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing the user name of the superuser can have serious repercussions and is not recommended.

To change the password of the superuser to superuserpassword, use an LDIF file such as the following:

dn: 
changetype:modify
replace:orclsupassword
orclsupassword:superuserpassword

See Also:

The ldapmodify command-line tool reference in Reference for Oracle Identity Management for ldapmodify syntax and usage notes.

12.8 Changing the Oracle Internet Directory Database Password

The Oracle Internet Directory uses a password when connecting to its own designated Oracle database. The default for this password when you install Oracle Internet Directory is the same as that for the Oracle Fusion Middleware administrator. When you change the password using oidpasswd, the new password is saved in the wallet. When you try to connect to Oracle Internet Directory’s database next time, it will validate the user with the new password saved in the wallet and connect to the database.

You can change this password by using oidpasswd.

The following example shows how to change the Oracle Internet Directory database password:

oidpasswd connect=OIDDB change_oiddb_pwd=true
current password: oldpassword
new password: newpassword
confirm password: newpassword
password set.

See Also:

The Using oidpasswd command-line tool reference in Reference for Oracle Identity Management

Note:

The account described here is different from the ODSSM account used for accessing server manageability information. Account Used for Accessing Server Manageability Information describes that account. For information about changing that account, see Changing the Password for the ODSSM Administrator Account.

12.9 Resetting the Superuser Password

If you forget the Oracle Internet Directory superuser (cn=orcladmin) password, you can use the oidpasswd tool to reset it. You must provide the Oracle Internet Directory database password.

When you first install Oracle Internet Directory, the superuser password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory superuser password using ldapmodify. If you forget the Oracle Internet Directory superuser password, you can reset it using the oidpasswd tool separately.

The following example shows how to reset the Oracle Internet Directory superuser password. The oidpasswd tool prompts you for the Oracle Internet Directory database password.

oidpasswd connect=OIDDB reset_su_password=true
OID DB user password: oid_db_password
        password: new_su_password
confirm password: new_su_password
OID superuser password reset successfully

12.10 Changing the Password for the EMD Administrator Account

The EMD administrator account, "cn=emd admin,cn=oracle internet directory", has very limited privilege and is used primarily for starting and stopping Oracle Internet Directory server manageability information collection.

See Also:

Monitoring Oracle Internet Directory for information about Oracle Internet Directory server manageability information collection.

To change the password for the EMD administrator:

1. Change the userpassword of the account "cn=emd admin,cn=oracle internet directory" in Oracle Internet Directory by using ldapmodify.
2. Invoke wlst and connect to the WebLogic server.

   java weblogic.WLST
   connect('weblogic', 'weblogic_user_password', 'protocol:host:port')
   

3. Run the following WLST command:

   upupdateCred(map='emd',keu='EMD_instance_name', password='newpassword',user='EMD')
   

4. On each Oracle instance in the WebLogic domain, execute the following command line:

   ORACLE_HOME/ldap/bin/oidcred emd update [instanceName]
   

12.11 Changing the Password for the ODSSM Administrator Account

Oracle Internet Directory connects to its Oracle Database, using the password specified for the ODS schema during schema creation. It also connects to retrieve its metric using the ODSSM schema password, given during schema creation as well. The Oracle Enterprise Manager Fusion Middleware Control default password, at the end of install, is the same as the ODSSM password.

To change the password for the ODSSM administrator, you must change it in the Oracle Database and then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:

1. Use SQLPlus or a similar tool to alter the password in the database.
2. Go to ORACLE_HOME/common/bin and run the following command:

   sh wlst.sh
   

3. Connect to the WebLogic Administration Server:

   connect('weblogic_username','pwd', 't3://host:port')
   

4. Run the updateCred() command:

   updateCred(map='odssm', key='ODSSM_instance_name', password='newpassword', user='ODSSM')
   

   where instance_name is the instance name provided during installation, for example, asinst_1.

5. On each Oracle instance in the WebLogic domain, execute the following command line:

   ORACLE_HOME/ldap/bin/oidcred odssm update [instance_name] 
   

12.12 Updating the New ODSSM Password for Data Source

If Oracle Directory Integration Platform is also configured in the instance, then you must update this new ODSSM password in one additional place.

To update the new ODSSM password in Oracle Internet Directory credential store:

1. Log in to the WebLogic Administration console at: http://host:port/console
2. Select Data Sources -> schedulerDS -> Connection Pool.
3. Click Lock & Edit in the top left corner of the screen.
4. Enter the new password in the Password and Confirm Password fields.

   Click Save.

5. Click Activate Changes.

Note:

You can validate the ODSSM password using the following script:

%perlbin%/perl $ORACLE_HOME/sysman/admin/scripts/iam/getCSFPassword.pl
$ORACLE_HOME $ORACLE_INSTANCE [CANONICAL_PATH] ldap