Oracle® Identity Management User Reference
10g Release 2 (10.1.2) B15883-01 |
|
Previous |
Next |
The Oracle Internet Directory Database Password Utility (oidpasswd
) is used to:
Change the password to the Oracle Internet Directory database.
Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password matches the value you specified during installation for the Oracle Application Server administrator's password. You can change this password by using the OID Database Password Utility.
Create wallets for the Oracle Internet Directory database password and the Oracle directory replication server password.
Unlock or reset the directory super user account, namely, cn=orcladmin
.
Reset an access control point (ACP) so that the subtree is accessible by the Oracle Internet Directory super user.
Manage the restricted super user ACL.
oidpasswd [connect=connect_string] [change_oiddb_pwd=true | create_wallet=true | unlock_su_acct=true| reset_su_password=true | manage_su_acl=true]
connect=connect_string
Optional. The directory database connect string. If you already have a tnsnames.ora
file configured, then this is the net service name specified in that file, which is located in $
ORACLE_HOME
/network/admin
. If not provided, defaults to the value of $ORACLE_SID
environment variable.
change_oiddb_pwd=true | unlock_su_acct=true | reset_su_password=true | manage_su_password=true
Required. The operation you want to perform. Depending on the operation you choose, the Oracle Internet Directory Database Password Utility will prompt you for additional information. The following choices are available:
change_oiddb_pwd=true
- Changes the password to the Oracle Internet Directory database. You will be prompted to provide the current database password, enter a new database password, and confirm the new password.
create_wallet=true
- Create a wallet named oidpwdlldap1
for the Oracle Internet Directory database password, and a wallet, named oidpwdr
sid
, for the Oracle directory replication server password.
The sid
is obtained not from the environment variable SID
but from the connected database.
You need to provide the ODS password to authenticate yourself to the ODS database before the ODS wallet can be generated. Note that the default ODS password is the same as that for the Oracle Application Server administrator.
unlock_su_acct=true
- Unlocks a super user account that has been locked.
reset_su_password=true
- Resets the password for the Oracle Internet Directory super user account. You will be prompted to provide the Oracle Internet Directory database password, enter a new super user password, and confirm the new super user password.
manage_su_acl=true
- Manages the restricted super user ACL.
Using Oracle Internet Directory Database Password Utility, you can perform the following tasks:
The following example shows how to change the Oracle Internet Directory database password, assuming the database in on the same machine.
Example:
oidpasswd current password: oldpassword new password: newpassword confirm password: newpassword password set.
The Oracle Internet Directory Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password.
The utility assumes by default that the password being changed is that of the local database (as defined by ORACLE_HOME
and ORACLE_
SID
). If you are changing the password on a remote database, you must use the connect=
connect_string
option.
Note:
|
The following example shows how to create wallets for the Oracle Internet Directory database password and the Directory Replication server password.
Example:
oidpasswd connect=dbs1 create_wallet=true
The argument create_wallet=true
is mandatory in this case. Except for the connect string, no other option can be specified.
The following example shows how to unlock the Oracle Internet Directory super user account, cn=orcladmin
.
Example:
oidpasswd connect=dbs1 unlock_su_acct=true
The argument unlock_su_acct
is mandatory. Except for connect string, no other option can be specified.
If you forget the Oracle Internet Directory super user password, you can use the oidpasswd
tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the super user password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory super user password using ldapmodify
. You can change the Oracle Internet Directory super user password using the oidpasswd
tool separately.
The following example shows how to reset the Oracle Internet Directory super user password. The oidpasswd
tool prompts you for the Oracle Internet Directory database password.
Example:
oidpasswd connect=dbs1
reset_su_password=true
OID DB user password: oid_db_password
password: new_su_password
confirm password: new_su_password
OID super user password reset successfully
When an access control point (ACP) is set with an access control item (ACI) that has the keyword DenyGroupOverride
, neither the Oracle Internet Directory super user nor members of DirectoryAdminGroup
can access the subtree under that ACP. If necessary, you can use the oidpasswd
tool to reset that ACP so that the subtree is accessible by the Oracle Internet Directory super user.
The following example shows how to reset a restricted ACP. The oidpasswd
utility prompts you to enter the Oracle Internet Directory database password and to choose which super user restricted ACPs to reset.
Example:
oidpasswd conn=dbs1 manage_su_acl=true OID DB user password: oid_db_password The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] resetall
Once you have reset some ACPs so that the super user can access them, you can use ldapmodify
to make the subtrees inaccessible to the super user again.