Mass Reset Password-part1 OID

Introduction

One of the great features that customers need to be aware of and it could be used, as post-process, on many different situations such as: P2T, T2P and clone is the ability to reset multiple passwords simultaneously. Imagine the customer is scaling out their environment because they need an additional UAT environment. This customer has a new requirement: Replace all end-user passwords on an entire FA-IDM REL8 solution. This kind of scenario is growing naturally because it allows many process variations in on-premise environments. Unfortunately, by default, OIM and OID don’t have WebUI feature that allows this mass reset. This blog will cover part 1: How to do it using OID commands and in December we will publish part 2: How to do it using the OIM api.

Main Article

In this case, the best approach is to run P2T, and then change some information that comes from production that is unwanted in the test environment. For our scenario, this is the passwords. Therefore, once it is copied to another place, the passwords must be changed. This article provides step-by-step instructions to accomplish this task and make sure your end-user’s passwords will not be available in other environments.

Step1) Backup: $ORACLE_HOME/ldap/bin/ldifwrite connect=oiddb basedn=”cn=users,dc=mycompany,dc=com” thread=3 verbose=true ldiffile=/tmp/backup-[NAME] -PWD-[DATE].dat

Chronicle-ATeamOct2014-MassResetPwd-phs_1

Step2) ldapsearch -p 3060 -D cn=orcladmin -w Welcome1 -b “cn=Users,dc=mycompany,dc=com” -L ‘(&(objectclass=*)(!(cn=FUSION_APPS_*)))’ dn | sed ‘s/dc=com/dc=com\nchangetype:\ modify\nreplace:\ userpassword\nuserpassword:\ NewPwdValue/g’ > User_pwd_reset_list.ldif

Chronicle-ATeamOct2014-MassResetPwd-phs_2

If you open the file created you should see something like this with many users:

Chronicle-ATeamOct2014-MassResetPwd-phs_3

Step3) Manually remove all users below this from the ldif file (created above):
Excluded List:
cn=AppIDUsers,cn=Users,dc=mycompay,dc=com
cn=orcladmin, cn=Users, dc=mycompay,dc=com
cn=PUBLIC, cn=Users, dc=mycompay,dc=com
cn=PolicyROUser,cn=Users,dc=mycompay,dc=com
cn=PolicyRWUser,cn=Users,dc=mycompay,dc=com
cn=oamAdminUser,cn=Users,dc=mycompay,dc=com
cn=oamSoftwareUser,cn=Users,dc=mycompay,dc=com
cn=xelsysadm,cn=Users,dc=mycompay,dc=com
cn=weblogic_idm,cn=Users,dc=mycompay,dc=com
cn=IDROUser,cn=Users,dc=mycompay,dc=com
cn=IDRWUser,cn=Users,dc=mycompay,dc=com
cn=FAAdmin,cn=Users,dc=mycompay,dc=com
cn=oim_admin,cn=Users,dc=mycompay,dc=com
uid=webchatadmin,cn=Users,dc=mycompay,dc=com
cn=em_monitoring,cn=Users,dc=mycompay,dc=com
cn=OCLOUD9_osn_APPID,cn=AppIDUsers,cn=Users,dc=mycompay,dc=com
cn=oamSoftwareUser,cn=Users,dc=mycompay,dc=com
cn=oimAdminUser,cn=systemids,dc=mycompay,dc=com
cn=OblixAnonymous,dc=mycompay,dc=com
cn=OSN_LDAP_BIND_USER,cn=users,dc=mycompay,dc=com
cn=saas_readonly,cn=Users,dc=mycompay,dc=com
cn=fa_guest,cn=Users,dc=mycompay,dc=com

Step4) Run a double check on this file to make sure it is clean:
grep [FILE].ldif | wc -l (checking)

Step5) Run: ldapmodify -p 3060 -D cn=orcladmin -w **** -c -v -f /u01/XXXPOD_User_PWD_RESET_FINAL.ldif

Chronicle-ATeamOct2014-MassResetPwd-phs_4

Step6) Test one of the users using LdapBind, eg: ldapbind -p 3060 -D “cn=test_test,cn=Users,dc=mycompany,dc =com” –q

Chronicle-ATeamOct2014-MassResetPwd-phs_5

Note: You don’t need to run any ESS Job or OIM reconciliation to have these users updated there. As this action modifies the OID Changelog, the next OIM Incremental reconciliation will run and collect all these changes automatically. So, as provided in these screenshots, you should be able to login on any SSO application, such as OIM and others after the time of next incremental reconciliation.

Chronicle-ATeamOct2014-MassResetPwd-phs_6

Conclusion

Well done, however, implementing FA+IDM Mass reset password solution for an organization is a proposition that should be done carefully, and an entire environment backup must be done before it starts. Using proper planning and understanding the various dimensions provided by this solution and its concepts allows an organization to discern how they handle copied passwords. It also highlights what of the enterprise is willing to protect end- user data from copied environments, and how best to offer Oracle protection in an integrated and effective manner.

Add Your Comment