Tuesday

OID 11g: Viewing and Setting the Password Policy via ODSM and the Command Line

We are about to go live with our new 11g Fusion Middleware environment and wanted to setup the password policy for user accounts before they logged in for the first time.

I logged in to Oracle Directory Services Manager, which by default resides at http://server:7005/odsm.   The first screen is informational and shows you some relevant version numbers and some statistics.

image

To change password policy options click on the Security tab followed by clicking on Password Policy.

image

Next you need to determine the correct policy to modify.  The easiest way is to probably look at the Distinguished Name  which has the proper domain component values.  (ie. dc=youserver, dc=com)

image

There are a number of options you can set for your password policy and the values you choose will be dependent on your corporate standards.   To get help for any particular option click on it and a context sensitive dialog box will appear with more information.

image

Once you have made all your changed click on the apply button.  This is where I ran into trouble and was presented with the following error:


image

I searched google, Metalink but didn’t find any solutions so I decided to try the command line method. 

Login to the server which hosts your Identity Management Domain and initialize your environment.   Properly set, ldapsearch and ldapmodify should be in your path.

To view the password policy use ldapsearch utility:

ldapsearch -D "cn=orcladmin" -w <orcladmin_pass> -h <OID_Host> -p 3060 -b "cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=mydomain,dc=com" -s sub "(objectclass=*)" "*"

cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=mydomain,dc=com
orclpwdminalphachars=0
pwdfailurecountinterval=300
orclpwdmaxrptchars=0
pwdlockoutduration=86400
objectclass=top
objectclass=pwdpolicy
pwdmaxfailure=5
orclpwdminuppercase=0
orclpwdencryptionenable=0
pwdminlength=8
orclpwdalphanumeric=1
cn=default
pwdlockout=1
pwdchecksyntax=1
orclpwdpolicyenable=1
pwdgraceloginlimit=5 
pwdexpirewarning=604800
pwdmaxage=10368000
orclpwdminspecialchars=0
orclpwdminlowercase=0



To modify the password policy use ldapmodify and pass it a file containing the options you’d like to change:



ldapmodify -p 3060 -D cn=orcladmin -w password < PolicyMod.txt






In the PolicyMod.txt document below I am modifying the minimum length of a password and the number of failures before their account is locked:


dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=myserver,dc=com
changetype: modify
replace: pwdminlength
pwdminlength: 8

dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=myserver,dc=com
changetype: modify
replace: pwdmaxfailure
pwdmaxfailure: 5 

So now you are familiar with two methods to changing password policy settings.

No comments: