Introduction

One of the great features that customers need to be aware of and it could be used, as post-process, on many different situations such as: P2T, T2P and clone is the ability to reset multiple passwords simultaneously. Imagine the customer is scaling out their environment because they need an additional UAT environment. This customer has a new requirement: Replace all end-user passwords on an entire FA-IDM REL8 solution. This kind of scenario is growing naturally because it allows many process variations on cloud and on-premise environments. Unfortunately, by default, OIM and OID don’t have WebUI feature that allows this mass reset. This blog will cover part 1: How to do it using OID commands and in December we will publish part 2: How to do it using the OIM api.

Main Article

In this case, the best approach is to run P2T, and then change some information that comes from production that is unwanted in the test environment. For our scenario, this is the passwords. Therefore, once it is copied to another place, the passwords must be changed. This article provides step-by-step instructions to accomplish this task and make sure your end-user’s passwords will not be available in other environments.

Step1) Backup: $ORACLE_HOME/ldap/bin/ldifwrite connect=oiddb basedn=”cn=users,dc=mycompany,dc=com” thread=3 verbose=true ldiffile=/tmp/backup-[NAME] -PWD-[DATE].dat

Step2) ldapsearch -p 3060 -D cn=orcladmin -w Welcome1 -b “cn=Users,dc=mycompany,dc=com” -L ‘(&(objectclass=*)(!(cn=FUSION_APPS_*)))’ dn | sed ‘s/dc=com/dc=com\nchangetype:\ modify\nreplace:\ userpassword\nuserpassword:\ NewPwdValue/g’ > User_pwd_reset_list.ldif

If you open the file created you should see something like this with many users:

Step3) Manually remove all users below this from the ldif file (created above):
Excluded List:
cn=AppIDUsers,cn=Users,dc=mycompay,dc=com
cn=orcladmin, cn=Users, dc=mycompay,dc=com
cn=PUBLIC, cn=Users, dc=mycompay,dc=com
cn=PolicyROUser,cn=Users,dc=mycompay,dc=com
cn=PolicyRWUser,cn=Users,dc=mycompay,dc=com
cn=oamAdminUser,cn=Users,dc=mycompay,dc=com
cn=oamSoftwareUser,cn=Users,dc=mycompay,dc=com
cn=xelsysadm,cn=Users,dc=mycompay,dc=com
cn=weblogic_idm,cn=Users,dc=mycompay,dc=com
cn=IDROUser,cn=Users,dc=mycompay,dc=com
cn=IDRWUser,cn=Users,dc=mycompay,dc=com
cn=FAAdmin,cn=Users,dc=mycompay,dc=com
cn=oim_admin,cn=Users,dc=mycompay,dc=com
uid=webchatadmin,cn=Users,dc=mycompay,dc=com
cn=em_monitoring,cn=Users,dc=mycompay,dc=com
cn=OCLOUD9_osn_APPID,cn=AppIDUsers,cn=Users,dc=mycompay,dc=com
cn=oamSoftwareUser,cn=Users,dc=mycompay,dc=com
cn=oimAdminUser,cn=systemids,dc=mycompay,dc=com
cn=OblixAnonymous,dc=mycompay,dc=com
cn=OSN_LDAP_BIND_USER,cn=users,dc=mycompay,dc=com
cn=saas_readonly,cn=Users,dc=mycompay,dc=com
cn=fa_guest,cn=Users,dc=mycompay,dc=com

Step4) Run a double check on this file to make sure it is clean:
grep [FILE].ldif | wc -l (checking)

Step5) Run: ldapmodify -p 3060 -D cn=orcladmin -w **** -c -v -f /u01/XXXPOD_User_PWD_RESET_FINAL.ldif

Step6) Test one of the users using LdapBind, eg: ldapbind -p 3060 -D “cn=test_test,cn=Users,dc=mycompany,dc =com” –q

Note: You don’t need to run any ESS Job or OIM reconciliation to have these users updated there. As this action modifies the OID Changelog, the next OIM Incremental reconciliation will run and collect all these changes automatically. So, as provided in these screenshots, you should be able to login on any SSO application, such as OIM and others after the time of next incremental reconciliation.

Conclusion

Well done, however, implementing FA+IDM Mass reset password solution for an organization is a proposition that should be done carefully, and an entire environment backup must be done before it starts. Using proper planning and understanding the various dimensions provided by this solution and its concepts allows an organization to discern how they handle copied passwords. It also highlights what of the enterprise is willing to protect end- user data from copied environments, and how best to offer Oracle protection in an integrated and effective manner.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission