One of the great features that customers need to be aware of and it could be used, as post-process, on many different situations such as: P2T, T2P and clone is the ability to reset multiple passwords simultaneously. Imagine the customer is scaling out their environment because they need an additional UAT environment. This customer has a new requirement: Replace all end-user passwords on an entire FA-IDM REL8 solution. This kind of scenario is growing naturally because it allows many process variations in on-premise environments. Unfortunately, by default, OIM and OID don’t have WebUI feature that allows this mass reset. This blog will cover part 1: How to do it using OID commands and in December we will publish part 2: How to do it using the OIM api.
In this case, the best approach is to run P2T, and then change some information that comes from production that is unwanted in the test environment. For our scenario, this is the passwords. Therefore, once it is copied to another place, the passwords must be changed. This article provides step-by-step instructions to accomplish this task and make sure your end-user’s passwords will not be available in other environments.
Step1) Backup: $ORACLE_HOME/ldap/bin/ldifwrite connect=oiddb basedn="cn=users,dc=mycompany,dc=com" thread=3 verbose=true ldiffile=/tmp/backup-[NAME] -PWD-[DATE].dat
Step2) ldapsearch -p 3060 -D cn=orcladmin -w Welcome1 -b "cn=Users,dc=mycompany,dc=com" -L '(&(objectclass=*)(!(cn=FUSION_APPS_*)))' dn | sed 's/dc=com/dc=com\nchangetype:\ modify\nreplace:\ userpassword\nuserpassword:\ NewPwdValue/g' > User_pwd_reset_list.ldif
If you open the file created you should see something like this with many users:
Step3) Manually remove all users below this from the ldif file (created above):
cn=orcladmin, cn=Users, dc=mycompay,dc=com
cn=PUBLIC, cn=Users, dc=mycompay,dc=com
Step4) Run a double check on this file to make sure it is clean:
grep [FILE].ldif | wc -l (checking)
Step5) Run: ldapmodify -p 3060 -D cn=orcladmin -w **** -c -v -f /u01/XXXPOD_User_PWD_RESET_FINAL.ldif
Step6) Test one of the users using LdapBind, eg: ldapbind -p 3060 -D "cn=test_test,cn=Users,dc=mycompany,dc =com" –q
Note: You don’t need to run any ESS Job or OIM reconciliation to have these users updated there. As this action modifies the OID Changelog, the next OIM Incremental reconciliation will run and collect all these changes automatically. So, as provided in these screenshots, you should be able to login on any SSO application, such as OIM and others after the time of next incremental reconciliation.
Well done, however, implementing FA+IDM Mass reset password solution for an organization is a proposition that should be done carefully, and an entire environment backup must be done before it starts. Using proper planning and understanding the various dimensions provided by this solution and its concepts allows an organization to discern how they handle copied passwords. It also highlights what of the enterprise is willing to protect end- user data from copied environments, and how best to offer Oracle protection in an integrated and effective manner.