1 Introduction
This applies to the following situation:
OID has two OID Administrator users: (super admin user) “cn=orcladmin” and (local admin) “cn=orcladmin,cn=Users,dc=domain,dc=com”. The local admin password expired, by which the OAM login form uses the local admin to perform password resetting.
To get around this issue, a workaround was put in place to ensure the local admin’s password does not unexpectedly expire. Details of this workaround are detailed in the next section of this document.
2 Workaround implementation
2.1 Create a new password policy
In OID’s ODSM tool, a new password policy must be created, by which passwords are set to either not expire or expire after ‘x’ length of time for the ‘password expiry’ value.
The value set is in seconds, so the proper calculations must be done if you wish to set password expiry for days/months/years.
After creating and saving the new password policy, copy down the complete distinguished name (dn) of the password policy. For example, “cn=orclAdminPwd,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext”.
2.2 Apply password policy to local admin user
In ODSM, navigate to the local admin user, (example shown here): “cn=orcladmin,cn=Users,dc=domain,dc=com”.
Set the “pwdpolicysubentry” attribute to the complete distinguished name of the new password policy for example, “cn=orclAdminPwd,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext”.
2.3 Save changes
After saving changes to the local admin user, the local admin account should be unexpired. To test, you can do an ldapbind against the account to verify it is unlocked.
For example, in command prompt you can run the following command: C:\Oracle\Middleware\%OID_HOME%\bin\ldapbind -h hostname.domain.com -p 3060 –D ” cn=orclAdminPwd,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext ” –w ThePassword
If the command returns “ldap bind successful” instead of getting a ‘password expiration’ error, then your changes are successful!
