OID Quesries/ Scripts FAQ

Oracle Internet Directory (OID) is LDAP compliant directory server from Oracle. OID is part of Identity Management stack of Fusion Middleware (Infrastructure tier of Oracle Application Server) 

Here is list of commonly asked questions/scripts for OID

Q: How to find orasso (Single Sign-On) schema password.
A: orasso password is randomly generated and stored in OID. To find password run below query

$ORACLE_HOME/bin/ldapsearch -h $OIDHOST -p $OIDPORT-D “cn=orcladmin” -w “$OrcladminPASSWORD” -b “cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext” -s sub “orclResourceName=$DBUSERNAME” orclpasswordattribute


$ORACLE_HOME/bin/ldapsearch -h focusthread.com -p 389-D “cn=orcladmin” -w “welcome1” -b “cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext” -s sub “orclResourceName=orasso” orclpasswordattribute

Q: How to find port on which OID server is listening ?
on Infrastructure Tier $ORACLE_HOME/ldap/admin/ldap.ora  look for line
DIRECTORY_SERVERS= (focusthread.com:389:636)   –> This means OID is listening on port 389 NonSSL & 636 on SSL Port


In file $ORACLE_HOME/install/portlist.ini look for line
Oracle Internet Directory port = 389
Oracle Internet Directory (SSL) port = 636

Q: To find password policy in OID
$ORACLE_HOME/bin/ldapsearch -h $OIDHOST -p $OIDPORT -D cn=orcladmin -w $ORCLADMIN_PASSWD -b “cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext” -s base “objectclass=*”


$ORACLE_HOME/bin/ldapsearch -h focusthread.com-p 389 -D cn=orcladmin -w welcome1 -b “cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=com”
-s base “objectclass=*” >> pwdPolicy.ldif

This will create file pwdPolicy.ldif in currently directory listing password policies

Q: How to query what all E-Business Suite Instance are registered in OID ? (useful for OID-Apps 11i/R12 Integration)

$ORACLE_HOME/bin/ldapsearch -h $OIDHOST -p $OIDPORT-D “cn=orcladmin” -w “$OIDPW” -b “cn=EBusiness,cn=Products,cn=OracleContext,dc=default_realm” -s sub “objectclass=*”

$ORACLE_HOME/bin/ldapsearch -h focusthread -p 389-D “cn=orcladmin” -w “welcome1” -b “cn=EBusiness,cn=Products,cn=OracleContext,dc=co,dc=uk” -v -s sub “objectclass=*”

Q: Query for subscription list in OID ? (useful for OID-Apps 11i/R12 Integration)
A. $ORACLE_HOME/ldap/odi/bin/provsubtool.orc operation=LIST \
     ldap_host=host ldap_port=port \
     app_dn=”ApplicationDN” realm_dn=”SubscriberDN” \
     app_pwd=AppDN password

Q: How to find provisioning profiles (useful for OID-Apps 11i/R12 Integration)
A.ldapsearch -h host -p port-D cn=orcladmin -w password \
-b “cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory” \
-s sub “objectclass=*” “*” 
Q: How to search for various user attributes ?
A.ldapsearch -v -h “${Host}” -p ${Port} -D “cn=orcladmin” -w “${OIDManagerPasswd}” -b “” -s sub “uid=${AppsUser}*”  uid orclguid orclactivestartdate orclactiveenddate orclisenabled

Q: How to find default OID realm
$ORACLE_HOME/bin/ldapsearch -h $OIDHOST -p $OIDPORT-D “cn=orcladmin” -w $ORCLADMIN_password-b “cn=common, cn=products, cn=oracleContext” -s base “objectclass=*” orcldefaultSubscriber

$ORACLE_HOME/bin/ldapsearch -h focusthread.com -p 389 -D “cn=orcladmin” -w welcome1 -b “cn=common, cn=products, cn=oracleContext” -s base “objectclass=*” orcldefaultSubscriber

If you have any Query regarding OID , update it in comment section for answers

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

Prashanth says February 26, 2008

Hi Atul,

If OID is integrated with Oracle 11i E-biss, how fnd_user table integrated with OID?


Atul says February 26, 2008

User ID in FND_USER and GUID in users tree in OID should be same

If FND_USER table Password is set to External or BOTH and if there is corresponding user with same GUID then these two users are mapped

mac says June 3, 2008

Hi Atul,

I have an OID_ServerA in replicated with OID_ServerB using two way LDAP replication and I notice that when the orclApplicationCommonName=ORASSO password(Entry Management/oraclecontext/cn=products
/cn=SSO/applicationCommonName=orasso) was changed/updated in OID_ServerA it was also replicated with OID_ServerB.

In effect this will cause a problem in OID_ServerB OIDDAS (SSO_Log IN) since the ORASSO password was already changed for OID_ServerB. SSO will not be able to communicate with the OID. My question will be, how can I synchronize the ORASSO passwords between the two OID servers.

Atul says June 5, 2008

If you are changing ORASSO password or during initialm setup you have to synchronize two orasso passwords using ssoreplsetup.jar

Steps are mentioned here

ORACLE_HOME/jdk/bin/java -jar ssoreplsetup.jar

Its good to know that you are managing/configuring SSO & OID in replication and my readers would like to hear your experiences. Drop me a mail at atul @ onlineappsdba.com (If you wish to share your experience)

Binoy says June 12, 2008

I have installed OID on a virtual hostname, but the issue is the services get configured with actual hostname. Is there a way I can change the hostname with virtual hostname on the configuration files and start the services using the virtual hostname. I tried using the parameter ORACLE_HOSTNAME and OUI_HOSTNAME while running the install. It helps in configuring the environment with virtual hostname, but whenever the services are started thru opmn, it picks up the actual hostname. This process would help to failover the application.

Atul says June 12, 2008


Two things you have to do.

first in /etc/hosts file make virtual host as first entry i.e. like

and second use “high availability” option during installation and select Virtual Host and then specify Virtual Hostname during installation.

How you are checking that OID is running on with actual machine name & not virtual name ?

Binoy says June 12, 2008

Thanks for the instructions and really it worked. Though I had made the entry on /etc/hosts for the virtual hostname, I was not selecting the “High availability” while installing OID on the sponsor node and hence “oidldapd” services were configured with actual hostname.

mac says June 13, 2008

Hi Atul,
I have an OID server running on a production and I want my OID server secured from any LDAP Browsers. I am not using the default port no (389/636) but this does not prevent LDAP Browsers to exposed my information especially our developers who actually know the port no we use.
How can i secure my OID from any LDAP Browser and yet have my clients/user bind to my OID server? What are my options?


Atul says June 13, 2008


Option1 : Users should use username/password to access data from ldap browser (then Disable anonymous binds, but be careful that you are not breaking any functionality)

Option2 : Users should not be able to access at all (even authnticated users) via ldap browser ? (Use server hardening , disable at firewall level)

Any other scenario then update here

mac says June 14, 2008

Hi Atul,

Thanks for your reply.
I can’t do Option 1 since I don’t want to loose some functionality by doing that.

I found a document on metalink “Configuring Non-Anonymous LDAP Access with OID” Note:455031.1 but it was intended for Oracle and what I’m using Oracle 10g. I’ll try that option though and will give you an update as soon as there’s a progress.

It basically uses the SSL/Certificate and Access control management of OID.

Your Option 2 is also a good candidate and i think it will be effective.

mann says June 19, 2008

hi Atul,
How can i able to show the product detail,through OEM.

kunal says August 8, 2008

Dear Team,
I am planning to use Webcenter 10g. Just like Portal 10g release gives me the facility to add/update/ delete users from OID using its prebuilt portlet, can I have something like this in webcenter? or do I have to use APIs and code it by myself?

Atul says August 8, 2008

Check following options for user management in ContentDB for WebCentee Suite


Eijaz says August 18, 2008

Atul. Hope ur fine & Doing Good.

Well Atul i Facing Problem about Discoverer.

Our Envirnoment
1) R12 12.0.4
2) Sparch Solaris 10 64 bit
3) Using iAS10g Idtity mangemnt
4) Using As10g for Disocverer,Forms and Report

Well i Implemented Single Sign on (SSO) on R12
its working fine.
I attach the report to R12 User Responisbilty Page.
Here i have to Create Connections private/public by using Discover Admintrator,for each report in R12.
So when R12 user is click report it directing to Discoverer and displaying all Report Which we Earler Made Connection to reports.

What i Need,when user click Report its Should Directly Open ReportPage With Date Parameter.

Thx for doing good.

Atul says August 18, 2008

I am not sure of your requirement, Do you want SSO with discoverer
you wish to pass date parameter to disco report ?

Binoy says September 3, 2008

Hi Atul
Is there a way to customize the network configuration with oracle apps 11i so that running adcfgclone does not overwrite the sqlnet.ora which is required to resolve the service name using ldap services. I want to use OID only to resolve the service name.


Atul says September 3, 2008

Yes, use template file to preserve customizations

Check here


vahid says December 10, 2008

Hi Atul
I am using oid and create a profile to provisioning, data changed in oid are sent to db but changing data in db do not see in oid,

these are required setting and interface :
oidprovtool operation=modify ldap_host=localhost ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=oracle10g profile_mode=BOTH default_provisioning_policy=PROVISIONING_REQUIRED interface_version=2.0 profile_status=ENABLED organization_dn=”dc=vldap,dc=local” application_dn=”orclApplicationCommonName=GroceryStoreApp,
dc=vldap,dc=local” interface_name=LDAP_NTFY interface_type=PLSQL interface_connect_info=”” schedule=20 event_subscription=”USER:dc=vldap,dc=local:ADD(uname)” event_subscription=”USER:dc=vldap,dc=local:DELETE” event_subscription=”GROUP:dc=vldap,dc=local:MODIFY(cn,uniquemember)” event_mapping_rUles=”USER::dc=vldap,dc=local” event_permitted_operations=”USER:dc=vldap,dc=local:ADD(uname)” event_permitted_operations=”USER:dc=vldap,dc=local:DELETE” event_permitted_operations=”USER:dc=vldap,dc=local:MODIFY(*)” profile_status=ENABLED profile_debug=63

also I have implement these interface in db package :
function hasObjectClass( objclass IN VARCHAR2, attrlist IN LDAP_ATTR_LIST);
function getAttr( attr_name IN VARCHAR2, attrlist IN LDAP_ATTR_LIST);
procedure putOIDEvent( event IN LDAP_EVENT, event_status OUT LDAP_EVENT_STATUS);
function GetAppEvent( event OUT LDAP_EVENT);
procedure PutAppEventStatus( event_status IN LDAP_EVENT_STATUS);

let me know your idea about this problem,
thanks a lot

Atul Kumar says December 10, 2008

Check this guide


I can see debug level is 63 so whats in debug ?

vahid says December 11, 2008

there are nothing in debug.

the problem is that interfaces GetAppEvents and PutAppEventStatus (for INBOUND events) are implemented but does not execute. I think these were not registered correctly.

vahid says December 14, 2008

hi atul :
I changed provision profile and procedures in db .
so this is exception in .trc file :

———————–Processing Event ID:1919119————————–
Checking Whether Event Type Allowed : IDENTITY_ADD
Checking Domain : dc=padl,dc=local
Subscription For Domain : dc=padl,dc=local And Event Type : IDENTITY_ADD
Event Type Allowed : IDENTITY_ADD
Doing Operation :IDENTITY_ADD
Searching For Identity:1F6061EA59EE4654A8F4C559BE0F29AF
Identity Does not Exist. Creating
create Base From Context Class : cn=Users,dc=padl,dc=local
Allowed Attributes : uname,orclguid,objectclass,
Creating Property Set For Identity Create
Processing Attribute : objectclass
Attribute Values : employee,inetOrgPerson,orclUserV2,top,organizationalPerson,person,
Added Attribute To Property : objectclass
Processing Attribute : objectclass
Ignoring Already Added Attribute : objectclass
Processing Attribute : objectclass
Ignoring Already Added Attribute : objectclass
Processing Attribute : objectclass
Ignoring Already Added Attribute : objectclass
Processing Attribute : objectclass
Ignoring Already Added Attribute : objectclass
Processing Attribute : objectclass
Ignoring Already Added Attribute : objectclass
Processing Attribute : uname
Attribute Values : jasem,
Added Attribute To Property : uname
Added NickName Attribute : 1F6061EA59EE4654A8F4C559BE0F29AF
Off to the API’s
Exception Creating Identity (1F6061EA59EE4654A8F4C559BE0F29AF) :java.lang.NullPointerException
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1640)
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1497)
at oracle.ldap.odip.prov.ProvAppEvent_2_0.doIdentityAdd(ProvAppEvent_2_0.java:526)
at oracle.ldap.odip.prov.ProvAppEvent_2_0.process(ProvAppEvent_2_0.java:185)
at oracle.ldap.odip.prov.ProvAppToOIDSync_2_0.processEvent(ProvAppToOIDSync_2_0.java:250)
at oracle.ldap.odip.prov.ProvAppToOIDSync_2_0.sync(ProvAppToOIDSync_2_0.java:328)
at oracle.ldap.odip.engine.ProvThread.runOldVersion(ProvThread.java:538)
at oracle.ldap.odip.engine.ProvThread.run(ProvThread.java:173)
Exception processing Event:ODIException: Exception Creating Identity (1F6061EA59EE4654A8F4C559BE0F29AF) :java.lang.NullPointerException
ODIException: Exception Creating Identity (1F6061EA59EE4654A8F4C559BE0F29AF) :java.lang.NullPointerException
at oracle.ldap.odip.prov.ProvAppEvent_2_0.doIdentityAdd(ProvAppEvent_2_0.java:585)
at oracle.ldap.odip.prov.ProvAppEvent_2_0.process(ProvAppEvent_2_0.java:185)
at oracle.ldap.odip.prov.ProvAppToOIDSync_2_0.processEvent(ProvAppToOIDSync_2_0.java:250)
at oracle.ldap.odip.prov.ProvAppToOIDSync_2_0.sync(ProvAppToOIDSync_2_0.java:328)
at oracle.ldap.odip.engine.ProvThread.runOldVersion(ProvThread.java:538)
at oracle.ldap.odip.engine.ProvThread.run(ProvThread.java:173)
ODI Exception Processing Event – ODIException: Exception processing Event:ODIException: Exception Creating Identity (1F6061EA59EE4654A8F4C559BE0F29AF) :java.lang.NullPointerException
Sending status For Event ID : 1919119
–Event Status–

———-NEW EVENT STATUS ——————–
Event ID : 1919119
Object GUID :
Error Code : -1
Error String : ODI Exception Processing Event – ODIException: Exception processing Event:ODIException: Exception Creating Identity (1F6061EA59EE4654A8F4C559BE0F29AF) :java.lang.NullPointerException
Propagated Event status..
Sent status Successfully For Event ID : 1919119
Event ID:1919119, Status : FAILED
Last change Key Set to:1919118
Profile status Update – SUCCESS

Thanks …

Aashish says January 7, 2009

Hi Atul,

We are facing an issue after integration of OID/SUN one LDAP/ SSO.
If we change password from OIDDAS it says password changed successfully but does not actually change the password and we again have to login with old password.

Why is it so ?


Atul Kumar says January 8, 2009

Where is password stored now after integration ?

Is it in OID or Sun’s ldap server ?

Aashish says January 8, 2009

Hi Thanks for the reply.

It’s Apps 11i SSO OID Sunone Iplanet Integration and source of truth is OID. so paasswords are in OID

Atul Kumar says January 8, 2009

If passwords are in OID then oiddas should work.

Try changing password from oidadmin screen and check if this works

Aashish says January 8, 2009

Hey Thanks again,

Yes If I change the password for user1 from orcladmin account in OIDDAS that works and i am able to login into OIDDAS/EBS using SSO with changed password but when i change the password using

1) Forgot password in OIDDAS with user1 it says password changed suucessfully but does not chnage the password actually and i need to login using old password again.

2.If i login as user1 and then change password in OIDDAS My Profile — Change my password it says password changed suucessfully but does not chnage the password actually and i need to login using old password again.

Also if i login to ODM and search for users in Entry management — java.Arrayindex out of bound exception is coming if i edit the user it does not show user details but yes in OIDDAS all details are there.

I hope this info will help 🙂


Aashish says January 8, 2009

Again a doubt

Is it so that end users can’t change the passwords in OIDDAS using 1) My profile — Change my password

2) using forgot my password link on home page ( if all reset validation are set )

DO I need to create a custom page to have this functionality ?
How To Create a Custom On Demand Change Password Application for OID users
Doc ID: 344560.1

Thanks for your time and advice

Aashish says January 9, 2009

Hi Atul,

Can you please suggest on above scenario


Atul Kumar says January 9, 2009

It seems users are not allowed to change their own password .

Reset password by user is not allowed

Login as orcladmin -> Configuration -> User Entry -> Click on next and on second screen under “Configure User Attributes” userpassword self editable enabled or not.

If you still hit any issues raise SR with Oracle Support with OIDDAS team

Anuja says January 11, 2009

Hi Atul ,
In our scenario we have integartion as follows : MS-AD with OID , OID with R12 . Password is stoed in MS-AD . Password is not OID and R12. MS-AD – OID part is working fine. Now while integarting OID and R12 we followed the steps as below:
1. Registre Instance
2. Register OID
3. Created ldif file to migrate data from OID to R12 . using ldfwrite command .
4. Imported users into R12 using LDAPimport.
5. Import was succesfull and we could see users in FND_USERs table also. But provisioning is not happening .ie. when we are creating user in OID thoe user are not migrating to R12 fnd_user table automatically

6. We are using OID to APP template . Its enabled.

Are we missing any steps ? We have set two profile option on R12 Application SSO LDAp Syncronization:ENABLED
Applicatios SSO enabled OID Identity ADD :Enabled

Why its not reflected and User which we have migrated to R12 are also not able to login from R12 E-Biz login page .


Atul Kumar says January 11, 2009

Do an ldapbind for user AppsDN password in OID and see if this is successful or not ?

Check http://onlineappsdba.com/index.php/2008/06/14/user-created-in-apps-11ir1212i-not-sync-to-oid/

Aashish says January 16, 2009

Hi Atul,

Did raised SR with Oracle.It’s lack of functionality in Application and one Enhancement is already raised to Oracle for the same by Support Team.We did it using one SQL Script/Creating custom Procedures.

One more question for you is.


APPS– OID– LDAP ( User Creation is working fine) All in Sync.

Appp–OID–LDAP ( Modifications are not working fine in OID– LDAP step above)

The things i change in Apps are visible in OID but the changes are NOT getting reflected in LDAP SERVER.

Any ideas why ? I guess it has nothing to do with replication ?


Rob says January 23, 2009

Hi Atul,
I have 10 R2 database and want to install OID. Since OID is now part of Oracle AS 10 R1. Can you please tell me if I have to create new ORACLE_HOME for OID or I can use one I have already.Since I want to install OID on 10 R2 db which I already have.

Please help me


Atul Kumar says January 23, 2009

There are various ways of doing OID install –

New OID, 10.1.4 and higher are part of Oracle Identity Management Stack
Old OID, 10.1.2 and lower are part of Oracle Application Server

– You can install OID with its new Database (select IM & MR option) or into existing database 10G R1 or R2 then select (IM only option) and then when prompted from MR then give details of existing database.

If you are palnning to use existing database for OID then you must first configure & load repository into existing database for OID database which can be done using repca (Repository Configuration assistant tool) or MRCA (Metadata Repository configuration tool)

If you are new to application server or OID my recommendation is to select MI+MR (OID with its own new database)

To use existing database go through REPCA or MRCA documentation .

Rob says January 23, 2009

Thanks Atul for this information and for quick reply..

onlineappsdba.com ROCKS!!!!!!!!!!

hasani says February 3, 2009

Hi everybody,

I am using oid provisioning for data synchronization.
I do this for users in both side(I am using USER_ADD,IDENTITY_ADD… events).
but groups work only for outbound events(GROUP_ADD,GROUP_MODIFY,…) .
when application send GROUP_ADD or GROUP_MODIFY to OID the log is unknown event : GROUP_MODIFY(or GROUP_MODIFY).

could anyone help me?

Raj says May 12, 2009

Hi all,
When we click on the private connection key in the discoverer page,the values(DBUser,DBPassword,SSOUser) in the orasso schema are fetched and will be validated with the database values for authentication.

In this scenario,
Can we fetch the password(only) from the Active Directory of that particular user and substitute in the DBPassword field of orasso schema for authentication(this is only for validation at database level,not for viewing the password) ?
Is this possible?

could anyone help me?

Charles Bryant says February 10, 2010

We have eBS 12.0.6 integrated with OID 10.1.4. We run into an issue where the provisioning profiles are periodically being lost. The container is there, but the OIDTOAPPLICATION and APPLICATIONTOOID profiles have vanished (like someone did a deregistration).

Are there processes outside of deregistration that would remove these profiles from the container?

Atul Kumar says February 15, 2010

@ Charles,
No there is no process outside deregistration that should remove these profiles .
Only thing I can think of is that you are using replication or ldap refresh which recreates this tree.

If this is happening regularly , you can enable trace on ldapwrite or ldapdelete to see which process is deleting tree.

Use oidadmin to enable trace

Allen D says May 3, 2010


Thanks for the informative website. I wanted to programmatically authenticate the SSO id and get back the FND_user. The flow of steps is:

1. Given an instance, find programmatically (Java/PL-SQL) whether SSO or normal EBS login holds.

2. If SSO applies, detect whether the user is currently logged in or not; not sure if I can read the SSO cookie.

3. Given the SSO login credentials, use Java/Pl_SQL techniques to map the SSO id to a FND_USER. Is there an OID table that can give me the GUID for a given SSO id?

Your help is greatly appreciated.

Harika says November 16, 2011

Hi Atul,

I am a beginner in OSB11g security concepts.My task is to authenticate username/password of a user and I need to use LDAP.Can u please let me know how to get LDAP password to pass at the time of realm configuration.
I will be very thankful if you can provide me with some useful link for user authentication using LDAP.


Atul Kumar says November 16, 2011

@ Harika,
Define LDAP provider in weblogic (as authentication provider) on which OSB is deployed and then set authentication as basic


kkaushick says November 24, 2012

hi Atul,
Need your help again, I want to redirect users based on their functional role after confirming their login (done ). actually the problem is that I am not able to find the roles or the attribute deciding the roles of the user,can you please help me out with the attribute on which to base the filter in ldapsearch to get the role, thanks,

Ashish says November 26, 2014

Hello Atul,

Can you help me in finding out, how I can set these parameters for OID 11G

Number of DB Connections per Server Process (orclMaxCC)

Number of Dispatcher threads per server process

Set “Skip Referral for Search (orclSkipRefInSql)”



gopal says July 1, 2015

Hi Atul,

I have Integrated OID 11g with EBS 12.1.1 , first i created user in OID and it migrated to EBS with out any issue . after that I created 2 more users this users are not migrated , can I know what is issue ? how to find issue ?


Ashwini says July 8, 2015

I need to know the password for OID IT resource (connector) how to check it

Satish says March 25, 2016

Hi Atul,
is there any way that we can import and export orclguid along with the ldap entries ?,I have requirement I need to export the ldap entries from one OID to another OID and need to keep orclguid same during this process.
thanks in advance .

Francois says May 6, 2016

Hi Atul. Which ldapsearch command can I use to find all user accounts in OID whose passwords are about to expire? Many thanks.

poooja says October 12, 2016

how to take the OID GUID report using query . please share

    Atul Kumar says October 15, 2016

    What do you mean by OID GUID Report , Do you want to query GUID value from OID ? This means you need to see operational attribute so put + at end of query . Let me know if this doesn’t work .

Mallikarjuna says November 28, 2016

I am facing issue with oid1 in OID 11g version and ldapbind not happening only EMAGENT is up.

Gurura jBandi says October 13, 2017

when single sign on account is linked to multiple EBS account, how to set single account as default account not through single sign on account settings screen but i woud like to change default account by system or IS user,
kindly reply …

Add Your Reply