Issue
Got following error in starting IDM when using startall.sh script to start Oracle Fusion Middleware for Oracle Fusion Applications server
[LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.]
Analysis Done
weblogic_idm admin account password is expired.
During Fusion Application installation, the weblogic admin account will be with a user's password expiration policy of 90 days expiration.
Also,
One of the service account (e.g. PolicyRWUser) or admin account (e.g weblogic_idm, orcladmin and FAAdmin) password is expired.
During Fusion Application installation, two service accounts (IDRWUser, IDROUser) will be created to connect to identity store, another two service accounts (PolicyRWUser, PolicyROUser) will be created to connect to policy store. Those four service accounts will be created under normal user's container in OID (i.e cn=users,dc=us,dc=oracle,dc=com), so normal user's password expiration policy will apply to the four service accounts, unless you create separate policy for them.
orcladmin user could be used by OIM to connect to OID
Steps to verify the issue
Step 1. Use startall.sh script to start Oracle Fusion Middleware server for Oracle Fusion Applications server
cd /app/oracle/config/scripts
./startall.sh
Step 2. Check the server log and it will have following error:
Got following error in starting IDM when using startall.sh script to start Oracle Fusion Middleware for Oracle Fusion Applications server
[LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.]
Step 3. Confirm password expiration for weblogic_idm user using following script:
$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060
In my case it was:
$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060
Resolution
Step 1. Make sure you start the database and listener
ORACLE_HOME=/app/database/product/11.2.0/dbhome_1
export ORACLE_HOME
export PATH=$PATH:$ORACLE_HOME/bin
export ORACLE_SID=idmdb
JAVA_HOME=/app/fusion/jdk6
export JAVA_HOME
export PATH=$PATH:$JAVA_HOME
ANT_HOME=/app/fusion/provisioning/ant
export ANT_HOME
# Start DB
sqlplus '/as sysdba';
startup
# Start listener
lsnrctl start
Step 2. Start OID Server from OID Home
$OID_INSTANCE_HOME/bin/opmnctl startall
in my case the script to start OID server was:
cd /app/oracle/config/instances/oid1/bin
./opmnctl startall
Step 3. Set the right environment for Oracle Middleware Server using following variables. The most important aspect is to set the right ORACLE_HOME:
export MIDDLEWARE_HOME=/app/fusion/provisioning/fmw_rcu
export ORACLE_HOME=/app/oracle/products/dir/oid
export PATH=$PATH:$ORACLE_HOME/bin
Step 4. Create and save a new file with the name of 'pwd.ldif' to change the weblogic_admin password:
dn: cn=weblogic_idm,cn=Users,dc=aclnz,dc=com
changetype: modify
replace: userPassword
userPassword: Welcome14
Step 5. Modify the password using below command
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w <orcladmin password> -h <OID Host> -p <OID Port> -f password-change.ldif
In my case it was:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w Welcome14 -h idm117.aclnz.com -p 3060 -f pwd.ldif
Output:
modifying entry cn=weblogic_idm,cn=Users,dc=aclnz,dc=com
Step 6. Confirm bind is now successful for IDMPolicyRWUser
$ORACLE_HOME/bin/ldapbind -D cn=IDMPolicyRWUser,cn=Users,dc=us,dc=oracle,dc=com -w <password> -h <OID Host> -p <OID Port>
In my case it was:
$ORACLE_HOME/bin/ldapbind -D cn=weblogic_idm,cn=Users,dc=aclnz,dc=com -w Welcome14 -h idm117.aclnz.com -p 3060
Output:
bind successful
Step 7. Stop OID server
$OID_INSTANCE_HOME/bin/opmnctl stopall
In my case it was:
cd /app/oracle/config/instances/oid1/bin
./opmnctl stopall
Step 8. Start IDM services now using startall.sh script
cd /app/oracle/config/scripts
./startall.sh
IMPORTANT NOTE - Verify whether you can successfully ldap bind rest of the following users, and if not then complete the above exercise for them too to reset their password:
- PolicyRWUser
- PolicyROUser
- IDRWUser
- IDROUser
- FAAdmin
Environment
- Oracle Fusion Middleware for Oracle Fusion Applications server = 11.5.7
- Oracle Linux = 5.7 (x86-64)
References
- Password Expiration Prevent IDM Domain Services From Starting up In Fusion Applications With Error - LDAP: error code 49 (Doc ID 1469561.1)