Thank you for your feedback!Categories
This chapter contains these topics:
Managing Accounts and Passwords by Using the Self-Service Console
Changing the Superuser Password by Using Fusion Middleware Control
This chapter describes some administrative tasks related to accounts and passwords.
See Also:
Note:
All references to the Self-Service console in this chapter refer to the console included with Oracle Delegated Administration Services 10g (10.1.4.3.0) or later, which is compatible with Oracle Internet Directory 11g Release 1 (11.1.1). See Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) Library for more information.Using command-line tools or the Self-Service console, you can temporarily disable a user's account, then enable it again. If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
Using command-line tools, you can force users to change their passwords when they log in for the first time.
If you forget your password or become locked out of your account, then you can reset your password. You do this by using the Self-Service Console. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
The Superuser is a special directory administrator with full access to directory information. The default user name of the superuser is orcladmin. The password is set by the administrator during installation.
Note:
Oracle recommends that you change the password immediately after installation.You can use either Oracle Enterprise Manager or ldapmodify to administer the Superuserpassword.
See Also:
Chapter 28, "Managing Directory Access Control" for information on how to set access rightsAnother privileged account is the administrator, "cn=emd admin,cn=oracle internet directory". This account is used for starting and stopping Oracle Internet Directory server manageability information collection. It is also used by Oracle Enterprise Manager Fusion Middleware Control to make configuration changes to Oracle Internet Directory. These changes are made over a secure connection.
The only way you can change this account's password is to use the procedure documented in "Changing the Password for the EMD Administrator Account". There is no support in the oidpasswd tool for changing this password.
This section contains these topics:
You can temporarily disable a user's account, then enable it again, by using command-line tools.
To permanently disable the account, set the orclisenabled attribute to DISABLED. Setting this attribute to any other value enables the account.
To enable the account after you have disabled it, delete this attribute from the entry.
To enable the account for a specific period, set the orclActiveStartDate and orclActiveEndDate attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example, you could use a command line such as:
ldapmodify -p port -h host -D cn=orcladmin -q -v -f my.ldif
where my.ldif contains:
dn:cn=John Doe,cn=users,o=my_company,dc=com orclactivestartdate:20030101000000z orclactiveenddate: 20031231000000z
In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login before January 1, 2003 or after December 31, 2003. If you want to disable his account for the period between these dates, then set the orclisenabled attribute to DISABLED.
If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
To unlock an account, set the orclpwdaccountunlock attribute to 1.
The following example unlocks the account for user John Doe.
ldapmodify -p port -h host -D cn=orcladmin -q -v -f file.ldif
dn: cn=John Doe,cn=users,o=my_company,dc=com changetype: modify add: orclpwdaccountunlock orclpwdaccountunlock: 1
You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange attribute in the pwdpolicy entry to 1, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can log in to change that password.
See Also:
"Resetting Your Own Password by Using the Self-Service Console"for instructions on resetting passwords
"Setting Password Policies by Using Command-Line Tools" for instructions on setting attributes of a password policy
For administrators, Oracle Directory Services Manager is the primary tool for managing users and passwords.
You can also use Oracle Identity Manager to centralize user and account provisioning to Oracle Internet Directory 11g Release 1 (11.1.1). For end user self-service, Oracle Identity Manager is the recommended solution. The Oracle Identity Manager documentation is available on Oracle Technology Network at:
http://www.oracle.com/technology/documentation/oim.html
Customers who already have Oracle Delegated Administration Services in their environment can use it for end user self-service with Oracle Internet Directory 11g Release 1 (11.1.1). However, 10g is the terminal release for Oracle Delegated Administration Services, and the component is deprecated in 11g and later releases.
This section contains these topics:
Enabling and Disabling Accounts by Using the Self-Service Console
Resetting Your Own Password by Using the Self-Service Console
You can temporarily disable a user's account, then enable it again, by using the Oracle Internet Directory Self-Service Console.
See Also:
The section on managing accounts in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service ConsoleIf you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
See Also:
The section on managing accounts in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on using the Oracle Internet Directory Self-Service Console to unlock accountsIf you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
See Also:
The section on resetting your password if you forget it in Oracle Identity Management Guide to Delegated Administration in the 10g (10.1.4.0.1) library for instructions on using the Oracle Internet Directory Self-Service Console to reset your passwordTo change the password for the superuser by using Oracle Enterprise Manager Fusion Middleware Control:
Select Administration, then Shared Properties from the Oracle Internet Directory menu.
Click the Change Superuser Password tab.
Specify the old password.
Specify the new password.
Confirm the new password.
Click Apply.
Table 12-1 Configuration Attributes on Shared Properties, Change Superuser Password Tab.
| Field or Heading | Configuration Attribute |
|---|---|
|
Superuser Password |
orclsupassword |
The configuration attribute orclsupassword is an attribute of the DSE root.
The superuser, cn=orcladmin, gets its privileges from membership in several privileged groups. You can query for those groups by searching for entries with "uniquemember=cn=orcladmin". For example:
ldapsearch -p port -h host -b "cn=subschemasubentry" -q \ -s base "uniquemember=cn=orcladmin"
To create a second superuser account, create another user entry that belongs to the same groups.
See Also:
Chapter 13, "Managing Directory Entries" to learn how to create a user entry and Chapter 15, "Managing Dynamic and Static Groups" to learn how to add a user to a group.Note:
To maintain system security, keep the number of privileged users to a minimum and ensure that all privileged accounts are audited. See Chapter 21, "Managing Auditing."To set or modify a user name or password for the superuser, use ldapmodify to modify the attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing the user name of the superuser can have serious repercussions and is not recommended.
To change the password of the superuser to superuserpassword, use an LDIF file such as the following:
dn: changetype:modify replace:orclsupassword orclsupassword:superuserpassword
See Also:
The
Sign Inldapmodify command-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management for ldapmodify syntax and usage notes.The Oracle Internet Directory uses a password when connecting to its own designated Oracle database. The default for this password when you install Oracle Internet Directory is the same as that for the Oracle Fusion Middleware administrator. You can change this password by using oidpasswd.
The following example shows how to change the Oracle Internet Directory database password, assuming the database in on the same machine.
oidpasswd connect=dbs1 change_oiddb_pwd=true current password: oldpassword new password: newpassword confirm password: newpassword password set.
See Also:
Theoidpasswd command-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity ManagementNote:
The account described here is different from the ODSSM account used for accessing server manageability information. "Account Used for Accessing Server Manageability Information" describes that account. For information about changing that account, see "Changing the Password for the ODSSM Administrator Account".If you forget the Oracle Internet Directory superuser (cn=orcladmin) password, you can use the oidpasswd tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the superuser password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory superuser password using ldapmodify. If you forget the Oracle Internet Directory superuser password, you can reset it using the oidpasswd tool separately.
The following example shows how to reset the Oracle Internet Directory superuser password. The oidpasswd tool prompts you for the Oracle Internet Directory database password.
oidpasswd connect=dbs1 reset_su_password=true OID DB user password: oid_db_password password: new_su_password confirm password: new_su_password OID superuser password reset successfully
The EMD administrator account, "cn=emd admin,cn=oracle internet directory", has very limited privilege and is used primarily by for starting and stopping Oracle Internet Directory server manageability information collection.
See Also:
Chapter 23, "Monitoring Oracle Internet Directory" for information about Oracle Internet Directory server manageability information collection.To change the password for the EMD administrator, you must change it in Oracle Internet Directory, then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:
Change the userpassword of the account "cn=emd admin,cn=oracle internet directory" in Oracle Internet Directory by using ldapmodify.
Invoke wlst and connect to the WebLogic server.
ORACLE_HOME/common/bin/wlst.sh connect('weblogic', 'weblogic_user_password', 'protocol:host:port')
Run the following WLST command:
updateCred(map='emd',key='EMD_instance_name', password='newpassword',user='EMD')
On each Oracle instance in the WebLogic domain, execute the following command line:
ORACLE_HOME/ldap/bin/oidcred emd update [instanceName]
Update the component registration of the Oracle instance, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl"
Note:
When you usewlst to change the password for the EMD or ODSSM administrator account, you must invoke the wlst command in the ORACLE_HOME directory because updateCred and related scripts reside there. For other purposes, use the wlst command in the ORACLE_COMMON_HOME directory.Oracle Internet Directory connects to its Oracle Database, using the password specified for the ODS schema during schema creation. It also connects to retrieve its metrics using the ODSSM schema password, given during schema creation as well.The Oracle Enterprise Manager Fusion Middleware Control default password, at the end of install, is the same as the ODSSM password.
To change the password for the ODSSM administrator, you must change it in the Oracle Database and then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:
Use SQLPlus or a similar tool to alter the password in the database.
Invoke wlst and connect to the WebLogic server.
ORACLE_HOME/common/bin/wlst.sh connect('weblogic', 'weblogic_user_password', 'protocol:host:port')
Run the following WLST command:
updateCred(map='odssm',key='ODSSM_instance_name', password='newpassword',user='ODSSM')
On each Oracle instance in the WebLogic domain, execute the following command line:
ORACLE_HOME/ldap/bin/oidcred odssm update [instanceName]
Update the component registration of the Oracle instance, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl"
Note:
When you usewlst to change the password for the EMD or ODSSM administrator account, you must invoke the wlst command in the ORACLE_HOME directory because updateCred and related scripts reside there. For other purposes, use the wlst command in the ORACLE_COMMON_HOME directory.