This chapter describes how to manage Oracle Internet Directory accounts and passwords using command-line tools, the Self-Service Console,Oracle Directory Services Manager, and Oracle Enterprise Manager Fusion Middleware Control. It describes how to manage passwords for a superuser account, the EMD administrator, and the Oracle Internet Directory database.
This chapter includes the following sections:
Section 12.1, "Introduction to Managing Accounts and Passwords"
Section 12.2, "Managing Accounts and Passwords by Using Command-Line Tools"
Section 12.3, "Managing Accounts and Passwords by Using the Self-Service Console"
Section 12.4, "Listing and Unlocking Locked Accounts by Using Oracle Directory Services Manager"
Section 12.5, "Changing the Superuser Password by Using Fusion Middleware Control"
Section 12.6, "Creating Another Account With Superuser Privileges"
Section 12.7, "Managing the Superuser Password by Using ldapmodify"
Section 12.8, "Changing the Oracle Internet Directory Database Password"
Section 12.10, "Changing the Password for the EMD Administrator Account"
Section 12.11, "Changing the Password for the ODSSM Administrator Account"
This chapter describes some administrative tasks related to accounts and passwords.
See Also:
Note:
All references to the Self-Service console in this chapter refer to the console included with Oracle Delegated Administration Services 10g (10.1.4.3.0) or later, which is compatible with Oracle Internet Directory 11g Release 1 (11.1.1). See Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) Library for more information.Using command-line tools or the Self-Service console, you can temporarily disable a user's account, then enable it again. If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
Using command-line tools, you can force users to change their passwords when they log in for the first time.
If you forget your password or become locked out of your account, then you can reset your password. You do this by using the Self-Service Console. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
The Superuser is a special directory administrator with full access to directory information. The default user name of the superuser is orcladmin
. The password is set by the administrator during installation.
Note:
Oracle recommends that you change the password immediately after installation.You can use either Oracle Enterprise Manager or ldapmodify
to administer the Superuserpassword.
See Also:
Chapter 30, "Managing Directory Access Control" for information on how to set access rightsAnother privileged account is the administrator, "cn=emd admin,cn=oracle internet directory".
This account is used for starting and stopping Oracle Internet Directory server manageability information collection. It is also used by Oracle Enterprise Manager Fusion Middleware Control to make configuration changes to Oracle Internet Directory. These changes are made over a secure connection.
The only way you can change this account's password is to use the procedure documented in Section 12.10, "Changing the Password for the EMD Administrator Account." There is no support in the oidpasswd
tool for changing this password.
This section contains these topics:
Section 12.2.1, "Enabling and Disabling Accounts by Using Command-Line Tools"
Section 12.2.2, "Unlocking Accounts by Using Command-Line Tools"
Section 12.2.3, "Forcing a Password Change by Using Command-Line Tools"
You can temporarily disable a user's account, then enable it again, by using command-line tools.
To permanently disable the account, set the orclisenabled
attribute to DISABLED
. Setting this attribute to any other value enables the account.
To enable the account after you have disabled it, delete this attribute from the entry.
To enable the account for a specific period, set the orclActiveStartDate
and orclActiveEndDate
attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example, you could use a command line such as:
ldapmodify -p port -h host -D cn=orcladmin -q -v -f my.ldif
where my.ldif contains:
dn:cn=John Doe,cn=users,o=my_company,dc=com orclactivestartdate:20030101000000z orclactiveenddate: 20031231000000z
In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login before January 1, 2003 or after December 31, 2003. If you want to disable his account for the period between these dates, then set the orclisenabled
attribute to DISABLED
.
If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
To unlock an account, set the orclpwdaccountunlock
attribute to 1.
The following example unlocks the account for user John Doe.
ldapmodify -p port -h host -D cn=orcladmin -q -v -f file.ldif
where file.ldif contains:
dn: cn=John Doe,cn=users,o=my_company,dc=com changetype: modify add: orclpwdaccountunlock orclpwdaccountunlock: 1
You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange
attribute in the pwdpolicy
entry to 1
, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can log in to change that password.
See Also:
Section 12.3.3, "Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console"for instructions on resetting passwords
Section 29.3.4, "Setting Password Policies by Using Command-Line Tools" for instructions on setting attributes of a password policy
For administrators, Oracle Directory Services Manager is the primary tool for managing users and passwords.
You can also use Oracle Identity Manager to centralize user and account provisioning to Oracle Internet Directory 11g Release 1 (11.1.1). For end user self-service, Oracle Identity Manager is the recommended solution. The Oracle Identity Manager documentation is available on Oracle Technology Network at:
http://www.oracle.com/technology/documentation/oim.html
Customers who already have Oracle Delegated Administration Services in their environment can use it for end user self-service with Oracle Internet Directory 11g Release 1 (11.1.1). However, 10g is the terminal release for Oracle Delegated Administration Services, and the component is deprecated in 11g and later releases.
This section contains these topics:
You can temporarily disable a user's account, then enable it again, by using the Oracle Internet Directory Self-Service Console.
See Also:
The section on managing accounts in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service ConsoleIf you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
See Also:
The section on managing accounts in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on using the Oracle Internet Directory Self-Service Console to unlock accountsIf you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
See Also:
The section on resetting your password if you forget it in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on using the Oracle Internet Directory Self-Service Console to reset your passwordYou can use Oracle Directory Services Manager to list and unlock locked accounts.
Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
Perform a simple search, as described in Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager," using the search string (pwdaccountlockedtime=*). A list of entries with locked accounts appears.
Select the entry whose account you want to unlock.
When an account is locked, Unlock Account appears before the Apply and Revert buttons. Click Unlock Account.
To change the password for the superuser by using Oracle Enterprise Manager Fusion Middleware Control:
Select Administration, then Shared Properties from the Oracle Internet Directory menu.
Click the Change Superuser Password tab.
Specify the old password.
Specify the new password.
Confirm the new password.
Click Apply.
Table 12-1 Configuration Attributes on Shared Properties, Change Superuser Password Tab.
Field or Heading | Configuration Attribute |
---|---|
Superuser Password |
orclsupassword |
The configuration attribute orclsupassword
is an attribute of the DSE root.
The Superuser, cn=orcladmin, gets its privileges from membership in several privileged groups. You can query for those groups by using the following ldapsearch command:
ldapsearch -h host -p port -D "cn=orcladmin" -q -b "" -L \ -s sub "(|(uniquemember=cn=orcladmin)(member=cn=orcladmin))" dn
To create a second account with Superuser privilege, create another user entry that belongs to the same groups. Also add the user as member of the group cn=directoryadmingroup,cn=oracle internet directory
.
Note:
To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of theDirectoryAdminGroup
group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup
group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.After you have created additional users with Superuser privileges, you no longer need to use cn=orcladmin
to administer Oracle Internet Directory. The privileged accounts should be sufficient. The attribute orclsuname
, however, must have the value cn=orcladmin
.
See Also:
Chapter 13, "Managing Directory Entries" to learn how to create a user entry and Chapter 14, "Managing Dynamic and Static Groups" to learn how to add a user to a group.Note:
To maintain system security, keep the number of privileged users to a minimum and ensure that all privileged accounts are audited. See Chapter 23, "Managing Auditing."You should never change the Superuser's name. The value of orclsuname
must remain cn=orcladmin
To set or modify the password for the superuser, use ldapmodify
to modify the attribute orclsuname
or orclsupassword
, respectively, in the DSE root. Changing the user name of the superuser can have serious repercussions and is not recommended.
To change the password of the superuser to superuserpassword
, use an LDIF file such as the following:
dn: changetype:modify replace:orclsupassword orclsupassword:superuserpassword
See Also:
Theldapmodify
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for ldapmodify
syntax and usage notes.The Oracle Internet Directory uses a password when connecting to its own designated Oracle database. The default for this password when you install Oracle Internet Directory is the same as that for the Oracle Fusion Middleware administrator. You can change this password by using oidpasswd
.
The following example shows how to change the Oracle Internet Directory database password, assuming the database is on the same machine.
oidpasswd connect=OIDDB change_oiddb_pwd=true current password: oldpassword new password: newpassword confirm password: newpassword password set.
See Also:
Theoidpasswd
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity ManagementNote:
The account described here is different from the ODSSM account used for accessing server manageability information. Section 25.1.4, "Account Used for Accessing Server Manageability Information" describes that account. For information about changing that account, see Section 12.11, "Changing the Password for the ODSSM Administrator Account."If you forget the Oracle Internet Directory superuser (cn=orcladmin
) password, you can use the oidpasswd
tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the superuser password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory superuser password using ldapmodify
. If you forget the Oracle Internet Directory superuser password, you can reset it using the oidpasswd
tool separately.
The following example shows how to reset the Oracle Internet Directory superuser password. The oidpasswd
tool prompts you for the Oracle Internet Directory database password.
oidpasswd connect=OIDDB reset_su_password=true OID DB user password: oid_db_password password: new_su_password confirm password: new_su_password OID superuser password reset successfully
The EMD administrator account, "cn=emd admin,cn=oracle internet directory"
, has very limited privilege and is used primarily by for starting and stopping Oracle Internet Directory server manageability information collection.
See Also:
Chapter 25, "Monitoring Oracle Internet Directory" for information about Oracle Internet Directory server manageability information collection.To change the password for the EMD administrator, you must change it in Oracle Internet Directory, then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:
Change the userpassword
of the account "cn=emd admin,cn=oracle internet directory" in Oracle Internet Directory by using ldapmodify
.
Invoke wlst
and connect to the WebLogic server.
java weblogic.WLST connect('weblogic', 'weblogic_user_password', 'protocol:host:port')
Run the following WLST command:
upupdateCred(map='emd',keu='EMD_instance_name', password='newpassword',user='EMD')
On each Oracle instance in the WebLogic domain, execute the following command line:
ORACLE_HOME/ldap/bin/oidcred emd update [instanceName]
Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
Oracle Internet Directory connects to its Oracle Database, using the password specified for the ODS schema during schema creation. It also connects to retrieve its metric using the ODSSM schema password, given during schema creation as well. The Oracle Enterprise Manager Fusion Middleware Control default password, at the end of install, is the same as the ODSSM password.
Note:
The EMAgent retrieves the ODSSM password dynamically in 11g. Therefore, before you perform the steps to change the ODSSM password, you must first stop the EMAgent and only then proceed further.To change the password for the ODSSM administrator, you must change it in the Oracle Database and then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:
Use SQLPlus or a similar tool to alter the password in the database.
Go to ORACLE_HOME
/common/bin
and run the following command:
sh wlst.sh
Connect to the WebLogic Administration Server:
connect('weblogic_username','pwd', 't3://host:port')
Run the updateCred()
command:
updateCred(map='odssm', key='ODSSM_instance_name', password='newpassword', user='ODSSM')
where instance_name
is the instance name provided during installation, for example, asinst_1
.
On each Oracle instance in the WebLogic domain, execute the following command line:
ORACLE_HOME/ldap/bin/oidcred odssm update [instance_name]
Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
If Oracle Directory Integration Platform is also configured in the instance, then you must update this new ODSSM password in one additional place. Proceed as follows:
Log in to the WebLogic Administration console at: http://
host
:
port
/console
Select Data Sources -> schedulerDS -> Connection Pool.
Click Lock & Edit in the top left corner of the screen.
Enter the new password in the Password and Confirm Password fields.
Click Save.
Click Activate Changes.
Note:
If the ODSSM account continues to lock after starting the EMAgent, then it is possible that the new password did not get updated correctly in Oracle Internet Directory credential store.Validate the ODSSM password using the following script:
%perlbin%/perl $ORACLE_HOME/sysman/admin/scripts/iam/getCSFPassword.pl $ORACLE_HOME $ORACLE_INSTANCE [CANONICAL_PATH] ldap