LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired

LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired

Issue

Got following error in starting IDM when using startall.sh script to start Oracle Fusion Middleware for Oracle Fusion Applications server

[LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.]

Analysis Done

weblogic_idm admin account password is expired.

During Fusion Application installation,  the weblogic admin account will be with a user's password expiration policy of 90 days expiration.

Also,

One of the service account (e.g. PolicyRWUser) or admin account (e.g weblogic_idm,  orcladmin and FAAdmin) password is expired.

During Fusion Application installation, two service accounts (IDRWUser, IDROUser) will be created to connect to identity store, another two service accounts (PolicyRWUser, PolicyROUser) will be created to connect to policy store. Those four service accounts will be created under normal user's container in OID (i.e cn=users,dc=us,dc=oracle,dc=com), so normal user's password expiration policy will apply to the four service accounts, unless you create separate policy for them.

orcladmin user could be used by OIM to connect to OID

Steps to verify the issue

Step 1. Use startall.sh script to start Oracle Fusion Middleware server for Oracle Fusion Applications server

cd /app/oracle/config/scripts

./startall.sh

Step 2. Check the server log and it will have following error:

Got following error in starting IDM when using startall.sh script to start Oracle Fusion Middleware for Oracle Fusion Applications server

[LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.]

Step 3. Confirm password expiration for weblogic_idm user using following script:

$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060

In my case it was:

$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060

Resolution

Step 1. Make sure you start the database and listener

ORACLE_HOME=/app/database/product/11.2.0/dbhome_1

export ORACLE_HOME

export PATH=$PATH:$ORACLE_HOME/bin

export ORACLE_SID=idmdb

 

JAVA_HOME=/app/fusion/jdk6

export JAVA_HOME

export PATH=$PATH:$JAVA_HOME

 

ANT_HOME=/app/fusion/provisioning/ant

export ANT_HOME

 

# Start DB

sqlplus '/as sysdba';

startup

 

# Start listener

lsnrctl start

Step 2. Start OID Server from OID Home

$OID_INSTANCE_HOME/bin/opmnctl startall

in my case the script to start OID server was:

cd /app/oracle/config/instances/oid1/bin

./opmnctl startall

Step 3. Set the right environment for Oracle Middleware Server using following variables. The most important aspect is to set the right ORACLE_HOME:

export MIDDLEWARE_HOME=/app/fusion/provisioning/fmw_rcu

export ORACLE_HOME=/app/oracle/products/dir/oid

export PATH=$PATH:$ORACLE_HOME/bin

Step 4. Create and save a new file with the name of 'pwd.ldif' to change the weblogic_admin password:

dn: cn=weblogic_idm,cn=Users,dc=aclnz,dc=com

changetype: modify

replace: userPassword

userPassword: Welcome14

Step 5. Modify the password using below command

$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w <orcladmin password> -h <OID Host> -p <OID Port> -f password-change.ldif

In my case it was:

$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w Welcome14 -h idm117.aclnz.com -p 3060 -f pwd.ldif

Output:

modifying entry cn=weblogic_idm,cn=Users,dc=aclnz,dc=com

Step 6. Confirm bind is now successful for IDMPolicyRWUser

$ORACLE_HOME/bin/ldapbind -D cn=IDMPolicyRWUser,cn=Users,dc=us,dc=oracle,dc=com -w <password> -h <OID Host> -p <OID Port>

In my case it was:

$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060

Output:

bind successful

Step 7. Stop OID server

$OID_INSTANCE_HOME/bin/opmnctl stopall

In my case it was:

cd /app/oracle/config/instances/oid1/bin

./opmnctl stopall

Step 8. Start IDM services now using startall.sh script

cd /app/oracle/config/scripts

./startall.sh

IMPORTANT NOTE - Verify whether you can successfully ldap bind rest of the following users, and if not then complete the above exercise for them too to reset their password:

  • PolicyRWUser
  • PolicyROUser
  • IDRWUser
  • IDROUser
  • FAAdmin

Environment

  • Oracle Fusion Middleware for Oracle Fusion Applications server = 11.5.7
  • Oracle Linux = 5.7 (x86-64)

References

  • Password Expiration Prevent IDM Domain Services From Starting up In Fusion Applications With Error - LDAP: error code 49 (Doc ID 1469561.1)
Oracle E-Business Suite steps to upgrade from Rele...
How to disable firewall in Linux?

Related Posts