Thursday, February 25, 2010

OID password policies and account lockouts

The other day I blogged about database 11g's default password policies and how to disable them for your test environment. Today my passwords for OID expired and I thought I'd pass along the same information for OID in case anyone anyone needs that information too.

The first thing you should know is that there is no oidadmin in OID 11g. I'm going to ignore the GUI tools here and just document how to disable the policies via ldapmodify.

First find your default password policy by searching for any objects with the objectclass of pwdpolicy. In the default configuration there should be only one
[oracle@demo5 ~]$ ldapsearch -b dc=oracledemo,dc=com -p 3060 -D cn=orcladmin -w abcd1234 objectclass=pwdpolicy dn
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=oracledemo,dc=com
[oracle@demo5 ~]$
Assuming you want to disable the policy all you need to do is change the value of pwdlockout to 0 (that's Zero, not Oh) and the policy will be disabled. So something like this:
[oracle@demo5 ~]$ ldapmodify -p 3060 -D cn=orcladmin -w abcd1234
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=oracledemo,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 0

modifying entry cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=oracledemo,dc=com

[oracle@demo5 ~]$
And finally if you have any accounts that are locked out and you need them re-enabled without changing their password you need to modify the account and add the attribute orclpwdaccountunlock with the value 1 (that's one, not El). So something like this:
[oracle@demo5 ~]$ ldapmodify -p 3060 -D cn=orcladmin -w abcd1234
dn: uid=hbowman,cn=Users, dc=oracledemo, dc=com
changetype: modify
add: orclpwdaccountunlock
orclpwdaccountunlock: 1

modifying entry uid=hbowman,cn=Users, dc=oracledemo, dc=com

[oracle@demo5 ~]$

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.