Monday, August 25, 2014

OID - Unlocking superuser orcladmin account

We weren't able to login to WebCenter Portal which uses OID as the Authentication store today.
On investigation we found out that the superuser orcladmin account was itself locked.

Note -
1.There are 2 orcladmin accounts: the superuser account, cn=orcladmin, and the REALM administrator cn=orcladmin, for example: cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and is not seen in the Oracle Directory Manager (ODM), nor the Oracle Directory Services Manager (ODSM) in 11g.

Following commands* executed from a command line tool helped to fix this issue -

export ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IDM1/
export ORACLE_INSTANCE=/u01/app/oracle/admin/OID_Domain/oid_inst_2/
cd /u01/app/oracle/middleware/Oracle_IDM1/ldap/bin
>./oidpasswd connect=OIDDB unlock_su_acct=true      #find connect string from #/u01/app/oracle/admin/OID_Domain/oid_inst1/config/tnsnames.ora
OID DB user password:<ODS Schema pwd>

*This is just a representation of what i had to do in my environment to fix this.

Post this, you would need to login to ODSM, go to Data Browser tab and change the password for cn=orcladmin,cn=Users,dc=<companyName>,dc=com and change the password which in all probability might have expired as well.

Atul Kumar's post here also helps with similar issues.

To change password policies have a look at this Oracle Doc