OID Passwords

Hi
We are planning to import our existing user data into OID including passwords. Our passwords are currently a customized version ( we convert a 16bit encoded MD5 hashes into a long integer). According to Oracle support, OID supports only 64bit encoded MD5 hashes. I have a utility that can convert from 16bit to 64bit hashes. But the problem. is to is convert the customized password into the 16bit encoded hash first which seem to be turning into an impossible task. My question is is there a way we can implement our customized version of hashing into SSO login functionality so that the hash created from the login method will match with the OID password.
We also wanto to restrict sections of our site by defining rules in mod_osso.conf so that only certain groups of users can access them. (If they try to access those sections, they will have be redirected to login page). My question is that - we also have explicit login functionality on the site and we have are developing a custom login.jsp page. My question is - can we make this explicit login.jsp and the login.jsp that gets invoked by SSO same???
Thanks a lot
Krishna

Similar Messages

Disabling OID Password Policy

Hi,
I had a problem of OID password expiry due to the default password policy expiry of 60 days. I resolved the issue using oidpwd utility and using Oracle Directory Manager (ODM). Now I want to change the password policy settings. Here I've a doubt that
,instead of changing the policy whether is it possible to disable the password policy. I found one option in the ODM->Password Policy management' --> Cn=PWDPolicyEntry , in the General tab, Password Policy ENABLE/DISABLE in a list box.
Could anyone please explain what would happen if i select 'DISABLE' to disable the password Policy?

Post in the OID forum... the lads there will help you.

IFS - iPlanet to OID Password Synchronization

Hello Everybody,
I have a very specific requirement. May be somebody can help me on this. I am having iFS running with OID (Oracle Internet Directory) for my iFS Users. I also have iPlanet Directory in my network which has all my users. iPlanet Users access their email from iPlanet email. I want to synchronize the iPlanet User Passwords with iFS passwords. The synchronization should be one-way i.e. from iPlanet to OID. iPlanet stores user passwords in the userPassword attribute. OID also stores user passwords in the userPassword attribute. iFS stores user Passwords in the authPassword attribute which is generated automatically from userPassword attribute. Whenever the userPassword attribute is update the authPassword attribute gets updated automatically. I can take the encrypted userPassword attribute from iPlanet and update the userPassword attribute as is in OID, but this doesnot regenerate the authPassword. Therefore, the new password change does not take affect.
Can anybody help me with a way by which I can syncrhonize user passwords from iPlanet to OID (specifically for iFS). The technical reason why authPassword is not updated when you put a hashed password in userPassword attribute is because, you cannot generate a hash from a hash.
Thanks in advance.

Dip synchronizes all fields except password. You need to have Oracle password filter which run independently to sync the password from AD to OID. Refer document here:
http://www.freeoraclehelp.com/2011/09/oracle-password-filter-to-sync.html
regards,
GP

Recon OID password to OIM

we have the ldapsync setup on OIM11.1.1.5.4 via libOVD and the trusted source is OID 11.1.1.5.0
The reconciliations for the create/update to pull users from OID work except the password is randomly generated once the user creayed in the OIM which is not the same in the OID.
we want the same password in OIM as the OID's via LDAPSYNC recon. However Oracle support told that is not possible and pointed the doc http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/reconsched.htm#sthref431
Question, if you have had the same requirement , how have you resolved this?

we have the ldapsync setup on OIM11.1.1.5.4 via libOVD and the trusted source is OID 11.1.1.5.0
The reconciliations for the create/update to pull users from OID work except the password is randomly generated once the user creayed in the OIM which is not the same in the OID.
we want the same password in OIM as the OID's via LDAPSYNC recon. However Oracle support told that is not possible and pointed the doc http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/reconsched.htm#sthref431
Question, if you have had the same requirement , how have you resolved this?

Error While unlocking OID Password

Hi,
E:\ofm\infra\BIN>oidpasswd connect=orcli unlock_su_acct=TRUE
OID DB user password:
ERROR * gsldpuUnlockSuAccount * ORA-12154:ORA-12154: TNS:could not resolve the
connect identifier specified encountered
Error in unlocking OID super user account.
I have two databases "orcl" and "orcli", both are working fine from SQL prompt,
but when i try to unlock the OID account, im prompted with "ORA-12154: TNS:could not resolve the
connect identifier specified encountered"
Please Help.
Regards,
- Sri

Check E:\ofm\infra\network\admin\tnsnames.ora (or another location, if you use TNS_ADMIN) to see if it contains the orcli entry.
If it does, check the sqlnet.ora in the same directory to see if it contains a default_domain (it will not).
Use the fully specified orcli entry (that is, with the domain - e.g. everything "after the dots")

OID Password/username

I carefully wrote down the password for the ias_admin account, but when trying to install the 9i AS after the infrastructure I can't get past the OID username/password. The port it is trying to use is 4032 and the host is hosrvibmnet.nmshtd.state.nm.us. I'm not sure what the problem is or if it is looking for a different password. The instance is started so I'm not sure what else to do.
Thanks in advance.

1.Edit the following file and locate the line that defines the credentials property for use the ias_admin user:
%ORACLE_HOME%\sysman\j2ee\config\jazn-data.xml
The following example shows the section of jazn-data.xml with the credentials entry in boldface type:
<realm>
<name>enterprise-manager</name>
<users>
<user>
<name>ias_admin</name>
<credentials>rJqp85BkhFwAyw9ddl0PnFlUBVaWzbfT</credentials>
</user>
2.Remove the entire line that contains the <credentials> property from jazn-data.xml.
3.Enter the following command from DOS Command window:
%ORACLE_HOME%\bin\emctl set password reset <new password>
Unix:
On unix platforms, this step is not necessary because the emctl utility does not require the old password in order to set the new password.

Audit OID Passwords (Oracle Internet Directory)

We have recently moved a produciton system to OID, and I need to identify a program/ method for auditing the passwords (and hopefully general security settings) within OID.
For Oracle, I am using AppDetective and would love a program similar in simplicity and effectiveness.
We need to watch for changeme and username passwords most of all.
Any suggestions? Thanks. Sean.

Thanks Taj, I did look at that link earlier. I was looking into OID to try out LDAP based connection to a Oracle DataSource using JDBC. I had few discussions about it recently:
LDAP based connection to Oracle
I thought that a Oracle Database Server would come with OID so that I can try out LDAP based connection - just a simple test to see how it works. Any other alternatives?

Want a solution for a scenario-To Set Password expiration in OID from OIM

Hi,
I have one scenario. Please guide me in some details to achieve this.
I have one password policy in OIM. When user's password expires in OIM, then his password should also expire in OID. We have OID as user's repository.
For this I have one solution but dont know how to implement this in OIM.
"OID has the LDAP attribute called “pwdMaxAge” map this attribute to the OIM resource object and reset this value to number of days (as per password policy) whenever you change the password in OIM. This will set the password expiration time in the OID without having the password policy in place. "
Plesae suggest.
Thanks in advance.

Well here is what you can do:
- For OIM the user's password will be governed with the Xellerate User password policy, which says that password must be changed every 28 days. So you are good in handling this in OIM.
Now for OID side, you have two options - *1. User changes OID password directly* and *2. User changes OID password through update in OIM profile password*. Most probably tou would want the second case. If true then here is what you can do.
- As user changes the OIM password. Create automatic trigger Change User Password which updates the password in the process form of OID.
- This invokes the Password Updated task.
- On SUCCESS of this task, call another task which goes to OID target and updates the attribute pwdMaxAge to Current date + 28
Thanks
Sunny

OID/Portal - Restrict Special Characters to be used in Password

Hi,
Does anyone know how I can restrict the use of special characters ($, &, £...etc) in the OID password? I cannot see an attribute to achive this? orclpwdIllegalValues will stop certain words, but I just want to restrict the use of any of the special characters in any password. All suggestions or information would be much appreciated.
Thanks

Requires custom plugin (using PL/SQL) to add password value checking to OID password policy management capabilities. A description and example code for this is available in chapter 27 of the Oracle® Internet Directory Administrator's Guide, 10g Release 2 (10.1.2) entitled "Oracle Internet Directory Plug-In for Password Policies" available at http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_pwdpolicies.htm#i122359

Hash password for OID

Hi,
I have created a procedure that will update a users password in OID. I have used this hashing algorithm to perform the hashing:
v_HashedPassword := orasso.wwsso_utl.hash_pwd(p_Password);
The password gets hashed but when the user tries to log on to Portal authentication fails. I assume that this is the wrong way to hash the OID password. Does anyone know how I am supposed to do this??
Regards,
Anniken

Hi,
The problem is solved. I did not need to hash the password before inserting it into OID. The OID did the hashing.
Regards,
Anniken

LDIF Importing a user with a non-encrypted password fails, anywork arounds?

I was able to import a group without issue:
dn: cn=Authenticated,cn=Groups,dc=oraclelinux,dc=com
description: test group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: cn=orcladmin,cn=People,dc=oraclelinux,dc=com
cn: Authenticated
But when I try to import a standard user:
dn: cn=testuser2,cn=Users, dc=oraclelinux, dc=com
userpassword:: password1
description: test user
objectClass: top
objectClass: person
sn: testuser2
cn: testuser2
It fails if I remove the password field then I can import the user without issue, but I need to include the password field as it is part of what was exported from the old LDAP Server.
If I create a user in an ldif import it then add a password using oracle's Directory Manager upon exporting it the entry loks like:
dn: cn=testuser, cn=Users, dc=oraclelinux, dc=com
authpassword;orclcommonpwd: {MD5}fGoYCzaJagqMAnh+6vsOTA==
authpassword;orclcommonpwd: {X- ORCLLMV}E52CAC67419A9A2238F10713B629B565
authpassword;orclcommonpwd: {X- ORCLNTV}5835048CE94AD0564E29A924A03510EF
authpassword;oid: {SASL/MD5}tUquh+Duowh2aWSEwONtcQ==
authpassword;oid: {SASL/MD5-DN}lcQ7Z5O5vcwzXMeaZ65fYw==
authpassword;oid: {SASL/MD5-U}AAWzkmDDCJLbs9mxoWBTiw==
userpassword:: e1NIQX00NHJTRkpROXF0SFdUQkF2cnNLZDVLL3AyajA9
description: test user
objectclass: top
objectclass: person
sn: testuser
cn: testuser
Changing my imported ldif to look like the following WORKS:
dn: cn=testuser2,cn=Users, dc=oraclelinux, dc=com
userpassword:: e1NIQX00NHJTRkpROXF0SFdUQkF2cnNLZDVLL3AyajA9
description: test user
objectClass: top
objectClass: person
sn: testuser2
cn: testuser2
So the password must be encrypted then?, if so how to I generate a password hash on the command-line and through JAVA?
Can an import be forced with a plain text password (Tivoli, SUN both support this functionality).
Can I change the constraint that the password must contain a numeric char? (Found in document: http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/pwdpolicies.htm#g1051713)
After fixing the constaints I can import a non-encrypted password from an ldif, but it can not be verified and only the authpassword;oid entries are created not the authpassword;orclcommonpwd entries.
Thanks for your assistance,
ERIC GANDT

Eric, my first guess would be that the OID password policy prevents loading of the password i.e. the password doesn't match the existing password policy.
What version is your "old" OID and what is the version of the current OID you're using?
What is the error msg you get?
regards,
--Olaf

Help with Password Management!!!

I am having a problem configuring my OID password management options... the Admin guide says that I can do it through Directory Manager by selecting the server in the left hand pane and editing the data on the password management tab... problem is I have no password management tab... it's not there!
So I notice that I can also use the command line tools to modidy the entry "cn=pwdpolicyentry,cn=oracle internet" directory. I assume that "cn=oracle internet directory" is the top level of my tree... doing a search for anything cn=* from the top level results in three things as follows... none of them are the entry I want:
cn=configset1,cn=metadird,cn=configsets,cn=oracle internet Directory
cn=odipgroup,cn=odi,cn=oracle internet directory
cn=odisgroup,cn=odi,cn=oracle internet directory
OK... so in desperation I attempt to add the entry "cn=pwdpolicyentry,cn=oracle internet directory" and the server says it already exists.
Seems to me there is something messed up with my Directoty Information Tree but I don't know why that would be (I just installed and the install gave me no errors) or how to fix it. Can someone please help???
Thanks
Chris

Querying the password policy entry can be a little bit tricky unless you are very familiar with LDAP. Here's the command that does the trick:
ldapsearch -s base -b "cn=pwdpolicyentry,cn=oracle internet directory" "(objectclass=*)"cn=pwdpolicyentry,cn=oracle internet directory
objectclass=top
objectclass=pwdpolicy
cn=pwdpolicyentry
pwdmaxage=0
pwdlockout=0
pwdlockoutduration=0
pwdmaxfailure=0
pwdfailurecountinterval=0
pwdexpirewarning=0
Kind regards, Wilfried

Getting Invalid password message while running catalog utility

Hi,
I am trying to index the modifyTimestamp attribute using catalog utility in OID.
I am using the command as :
./catalog -connect=orcl -add=TRUE -attribute=modifyTimestamp
Enter OID password:
but I am getting Invalid password error when I am entering the super user (cn=orcladmin) password.
Could you please help me in solving this issue.
Also can someone help me in knowing how to check what should be the correct value of connect_string.
I am running this command on Solaris.
Thanks in advance!!
-Nitin

Rohit,
The fix to this is fairly straightforward.
You have input an incorrect path for the -infile parameter when calling cryptotools.
You entered , -infile OracleBIData_HOME/web/config/credentialstore.xml
when it should be, -infile C:\OracleBI\web\config\credentialstore.xml , depending on the absolute physical path to the credentialstore.xml file.
It looks like you were attempting to use either a Nix (unix/linux) path with the forward slashes or you where trying to use a environment variable for "OracleBIData_Home". I can see from the c:\ that you are on a Windows machine so the Nix path won't work. Also if you are attempting to use an environment variable that you have confirmed is indeed set, then you need to use %OracleBIData_HOME% in the command prompt which would look like %OracleBIData_HOME%\web\config\credentialstore.xml
So to answer your question your command should appear as below if I have accessed your path to the OracleBIData home correctly, you may need to change it based on your installation,
C:\OracleBI\web\bin>cryptotools credstore -add -infile C:\OracleBIData\web\config\credentialstore.xml
Just be mindful of your paths and your backslashes vs. forward slashes.
Please mark this as the correct answer to award points if it is or if you read it and it helped you.
Cheers,
Christian

Enterprise User Security and Password Policies

Hi!
I'm testing Enterprise User Security. Till now everything has gone ok, I can connect to my db using oid users.
Now I'm configuring OID password policies for my realm but it seems that these are not applied when I connect through db. For example, I can try to logon with a wrong password as many time as I want, although in policies a limit of three is set.
Is this correct?!

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

NO Entries under Entry Management in OID

Hi,
After connecting to the OID through ODM(Oracle9i on Win2k Professional),there are no nodes(entries) under "Entry Management".i.e there is no DIT under that.
There were no errors during the installation though.
I was wondering wherez the cn=orcladmin entry(if not under the sitting which has to exist because as i could already login to OID using the same through ODM.
Also ,do i need to run any additional script to create the entries?
Any pointers as to what could be wrong.
Thanx for ur help in advance..
Arif

Thanx Steve and Andrew for the reply.
I tried to search for the entry orcladmin and the search fails with an Error code 106(Search criteria doesnt match any entries.This bamboozled me completely as iam logged into the OID thru ODM but cant find the orcladmin entry...something bad....
Then I relaised that my SSO COnfiuration Assistant/Internet Directory Configuration Assistant must have failed.
This is what is happening.
My Oracle Internet Directory Server(OID) is running on port 389(non-ssl default) and the configuration assistants are trying to connect to port 4032.
I Tried 2 WorkArounds which failed
WorkAround 1: Tried Runnning the OID on port 4032
I tried to run the OID on port 4032 using
(oidctl connect=iasdb server=oidldapd instance=1 flags='-p 4032' start)
but it fails.I could see it from the LDAP LOGS ($ORACLE_HOME\ldap\logs\oidmon.log)..The OID Monitor just adds that instance and deletes it from the registry as it is unable to start the OID Server..
But other instances could be started on port 389 though...
WorkAround 2:
I tried to run the SSOConfigAssistant from the command line as :
java -jar D:\oracleinfra\sso\lib\ossoca.jar D:\oracleinfra orasso orasso
hydtrn01.mydomain.com 389 "orcladmin" welcome hydtrn01.mydomain.com 1521
iasdb AMERICAN_AMERICA.WE8MSWIN1252
But this throws me off giving an error.
Failed to obtain OiD password. Exception is :java.lang.Exception: Version mismat
ch!.
where is the SSoConfigAssistant trying to get the OID Passwd from.
Iam not sure as to how to proceed frm here other than Reinstalling...Also the Unistallation isnt clean as it leaves a lot of entries in the registry on win2k..
Any help would be mightly appreciated
Thanx in Advance.

OID Passwords

Similar Messages

Maybe you are looking for