今天遇到BIEE 11.1.1.6.2 SampleApplication V207(虚拟机)的内置OID用户(cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com)由于过期被锁定了的问题
错误如下:oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 49 : [LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.]
普通用户
我们可以使用ldapmodify这个命令来修改该用户的密码,方法如下:
新建一个my.ldif文件保存到/home/oracle/Desktop下,内容如下:
dn: cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com
changetype: modify
replace: userpassword
userpassword: Admin123
然后执行如下命令:
$:cd /home/oracle/oid/Oracle_IDM1/bin
$:./ldapmodify -p 3060 -h localhost -D cn=orcladmin -q -v -f /home/oracle/Desktop/my.ldif
Please enter bind password:
replace userpassword:
Admin123
modifying entry cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com
modify complete
修改完毕,下面测试一下
./ldapbind -h localhost -p 3060 -D cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com -w Admin123
bind successful
修改成功!
另外我们可以修改密码策略配置,加大过期时间
查看现有的password policy
$:cd /home/oracle/oid/Oracle_IDM1/bin
$:./ldapsearch -p 3060 -h localhost -b " " -s sub "(objectclass=pwdpolicy)" -D cn=orcladmin -w Admin123
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
pwdminlength=5
pwdmaxfailure=10
pwdmaxage=10368000
pwdlockoutduration=86400
pwdlockout=1
pwdexpirewarning=604800
pwdchecksyntax=1
orclpwdpolicyenable=1
orclpwdalphanumeric=1
objectclass=top
objectclass=pwdpolicy
cn=default
pwdfailurecountinterval=0
pwdgraceloginlimit=5
orclpwdminalphachars=0
orclpwdminspecialchars=0
orclpwdminuppercase=0
orclpwdminlowercase=0
orclpwdmaxrptchars=0
orclpwdencryptionenable=0
cn=repld,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
pwdminlength=0
pwdmaxfailure=0
pwdmaxage=0
pwdlockoutduration=0
pwdlockout=0
pwdexpirewarning=0
pwdchecksyntax=0
orclpwdpolicyenable=1
orclpwdalphanumeric=0
objectclass=top
objectclass=pwdpolicy
cn=repld
pwdfailurecountinterval=0
pwdgraceloginlimit=5
orclpwdminalphachars=0
orclpwdminspecialchars=0
orclpwdminuppercase=0
orclpwdminlowercase=0
orclpwdmaxrptchars=0
orclpwdencryptionenable=0
cn=rocpolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
pwdminlength=5
pwdmaxfailure=10
pwdmaxage=10368000
pwdlockoutduration=86400
pwdlockout=1
pwdexpirewarning=604800
pwdchecksyntax=1
orclpwdpolicyenable=1
orclpwdalphanumeric=1
objectclass=top
objectclass=pwdpolicy
cn=rocpolicy
pwdfailurecountinterval=0
pwdgraceloginlimit=5
orclpwdminalphachars=0
orclpwdminspecialchars=0
orclpwdminuppercase=0
orclpwdminlowercase=0
orclpwdmaxrptchars=0
orclpwdencryptionenable=1
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
displayname=Password Policy for Realm dc=us,dc=oracle,dc=com
orclpwdminalphachars=0
pwdfailurecountinterval=0
orclpwdmaxrptchars=0
pwdlockoutduration=86400
objectclass=top
objectclass=pwdpolicy
pwdmaxfailure=10
orclpwdminuppercase=0
orclpwdencryptionenable=0
pwdminlength=5
orclpwdalphanumeric=1
cn=default
pwdlockout=1
pwdchecksyntax=1
orclpwdpolicyenable=1
pwdgraceloginlimit=5
pwdexpirewarning=604800
pwdmaxage=10368000
orclpwdminspecialchars=0
orclpwdminlowercase=0
我们只关心Password Policy for Realm dc=us,dc=oracle,dc=com这部分,可以看到pwdmaxage为10368000,也就是120天
5184000 = 60 days
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
假设我们想把pwdmaxage改成1年,方法如下:
新建一个my.ldif文件保存到/home/oracle/Desktop下,内容如下:
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
changetype: modify
replace: pwdmaxage
pwdmaxage: 31536000
然后执行如下命令即可:
$:cd /home/oracle/oid/Oracle_IDM1/bin
$:./ldapmodify -p 3060 -h localhost -D cn=orcladmin -q -v -f /home/oracle/Desktop/my.ldif
Please enter bind password:
replace pwdmaxage:
31536000
modifying entry cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
modify complete
超级用户
另外,如果是OID的超级用户(cn=orcladmin)过期了,那么我们可以使用下面的方法来解锁
由于SampleApplication安装的是IDM,所以在解锁前我们需要设置几个环境变量:
export ORACLE_HOME=/home/oracle/oid/Oracle_IDM1/
export ORACLE_INSTANCE=/home/oracle/oid/bioid2/
export TNS_ADMIN=/home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin
由于SampleApplication虚拟机将数据库和IDM都安装在同一台机器上,默认的ORACLE_HOME是数据库的主目录,所以这里需要指向IDM的主目录,
另外由于更改了ORACLE_HOME那么也要同时将TNS_ADMIN的值进行更改,以便之后oidpasswd能找到TNS_ADMIN下的tnsnames.ora
设置好环境变量之后,就可以使用oidpasswd来解锁了
$:cd /home/oracle/oid/Oracle_IDM1/ldap/bin
$: ./oidpasswd connect=orcl unlock_su_acct=true
OID DB user password:
OID super user account unlocked successfully.
注:connect后面的orcl就是tnsnames.ora里的服务名,OID DB user password是安装IDM使用的数据库用户密码,在SampleApplication的部署文档中有说明,是Admin123
参考文档:
Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory
11g Release 1 (11.1.1)
http://docs.oracle.com/cd/E23943_01/oid.1111/e10029/toc.htm
