 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
2 messages in com.googlegroups.oracleRe: HELP--Unlock ORCLADMIN Account| From | Sent On | Attachments |
|---|---|---|
| neil...@gmail.com | Mar 8, 2005 5:45 pm | |
| liqin.zhang | Mar 18, 2005 6:15 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: HELP--Unlock ORCLADMIN Account | Actions |
|---|---|---|
| From: | liqin.zhang (liqi...@gmail.com) | |
| Date: | Mar 18, 2005 6:15:03 am | |
| List: | com.googlegroups.oracle | |
The information in this article applies to: Oracle Internet Directory - Version: 9.0.4.0 This problem can occur on any platform.
Errors [LDAP: ERROR CODE 49 - PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP
Symptoms At 9.0.4 install the default value for Password Expiry Time is set to 5184000. (60 days). After 60 days from your installation date, the password for the ODI server (and any other assigned passwords) automatically expire.
If you have Directory Synchronization and/or Provisioning running, the ODISRV process will attempt to process the active profiles, soon after password expiration, this repeated trying will cause the DIP connector to exceed the max grace logins exceeded, and consequently the account becomes locked.
A view of the odisrv .trc file for each profile shows:
[LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.] Error in updating the statusjava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentThread.java:542)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:192)
Cause At installation time, the pwdmaxage attributes of the Password Policies are defaulted to time value of 60 days. This is new at 9.0.4. Fix 1. Use oidpasswd utility to unlock the orcladmin account:
$ oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks the OID Super User account, cn=orcladmin ONLY. Do not confuse this account with the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. They are two separate accounts. After resetting the orcladmin super user account will still not be able to login to SSO using the orcladmin account until you perform the next step. 2. Launch the Oracle Directory Manager (must be a 10g client) and navigate to Password Policy Management. You will see TWO entries:
cn=PwdPolicyEntry Password Policy for Ream
3. Edit each of these and change the pwdmaxage to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
999999999 = never expire
Note: Realm policies can be different than the root policy, so if in doubt change both policies the first time, then change the realm one to diff values as desired. The documentation states that you can set these values to 0 for never expire but this does not work. In fact, setting to 0 causes immediate password expiration. See bug: 3334767
4. Launch the Oracle Directory Manager and navigate to the realm specific orcladmin account. Find the userpassword attribute and reset the value to something new. You should then be able to launch any app (Portal/Collabsuite..etc)that uses Single Sign On and login as orcladmin. If you want to continue to use the same password you must change it once, then change it back. Be advised that you may need to temporarily modify your password policy if you have history set up to not allow same password.
5. rerun the odisrvreg utility to reset the DIP randomly generated password: You must make sure all odisrv processes are stopped prior to running odisrvreg. The reason is that the odisrv process only reads this password at startup time. Then at each wake up interval, connects to see if there are any changes to sync. Therefore, if odisrv is still running when you run odisrvreg (which resets the password) when it next wakes up for a sync interval it will try to use the value it read when started, and fail. After 10 failures the account will again be locked.
$ odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful. $ Note: for cold failover situations -- odisrvreg has a parameter -lhost that should be included when using a virtual hostname. Both -h and -lhost should contain the value of the virtual hostname. 6. launch Oracle Directory Manager and navigate to Server Management/Integration servers
reset the UserPassword field under the General Tab of each active connector