OID 11g Down : Unable to Start OID 11g using OPMN (ODS schema locked ORA-28002)

This post covers OID 11g start-up issue caused by password policy in OID database .

OID 11g : Oracle Internet Directory is LDAP (Lightweight Directory Access Protocol) compliant directory server with Oracle Database as repository and managed via OPMN (Oracle Process Manager and Notification) . For step by step installation on OID 11g click here

MW_HOME : This is directory under which you install WebLogic & Oracle Identity Management Product (OID, OVD, DIP, OIM, OAM, OIF ….). MW_HOME is created during weblogic installation.
ORACLE_HOME : This is directory under MW_HOME (usually MW_HOME/Oracle_IDM1) which contains software/binaries for OID/OVD/OIF/…
ORACLE_INSTANCE: This is directory (usually under $MW_HOME/asinst_1 but can be even outside MW_HOME) which contains runtime configuration file and log file .

.
Things good to know for OID

1.OID consist of middle tier processes oidldapd, oidmon process and Oracle Database as repository.

2. opmnctl (part of OPMN) is used to start/stop and manage OID 11g

3. OID 11g uses OIDDB (as tns alias) from $ORACLE_INSTANCE/config/tnsnames.ora

4. OID schema name is ODS

5. OID status is stored in ods_process_status table in ODS schema

6. OID 11g logs are in $ORACLE_INSTANCE/diagnostics/logs/OID/[oid1]/oidXXXXX.log

7. OID Middle Tier Processes connect to database (ODS schema) using password in $ORACLE_INSTANCE/OID/admin/oidpwdXXXXXX

8. Default Database Schema Password expiration policy in 11g database is 180 days (Change this database password policy or reset ODS & ODDSM password in database every 179 days)

9. Use Enterprise Manager ( /em) or $ORACLE_HOME/ldap/bin/oidpasswd to change ODS schema password.

10. OID schema (ODS) in grace period (PASSWORD_LIFE_TIME set to 180 days in database) will prevent OID start-up.

11. It is possible to install OID 11g without weblogic with NO ODSM & DIP (ODSM and DIP are J2EE application deployed on WebLogic Server)

.

Troubleshoot OID startup Issues

1. Check status of OID using “opmnctl status” or in ods.ods_process_status table. (If you are not sure about database location check $ORACLE_INSTANCE/config/tnsnames.ora on OID node)

____________
opmnctl status

Processes in Instance: asinst_1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status
———————————+——————–+———+———
ovd1                             | OVD                |   11843 | Alive
oid1                             | oidldapd           |     N/A | Down
oid1                             | oidldapd           |     N/A | Down
oid1                             | oidmon             |     N/A | Down
EMAGENT                          | EMAGENT            |   11844 | Alive

.
2. Look for error messages in OID log location $MW_HOME/[asinst_1]/diagnostics/logs/OID/[oid1]/oidmonXXXXX.log

In my case ODS schema password expired at it was account was in grace period

______________
[2010-09-12T10:03:09+01:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: XXXXXX] [pid: 8226] [tid: 0] Guardian: Connecting to database, connect string is oiddb

[2010-09-12T10:03:10+01:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: XXXXXXX] [pid: 8226] [tid: 0] Guardian: [gsdsiConnect]ORA-28002, ORA-28002: the password will expire within 7 days

[2010-09-12T10:03:10+01:00] [OID] [NOTIFICATION:16] [] [OIDMON] [host: xxxxxxxx] [pid: 8226] [tid: 0] Guardian: [oidmon]: Unable to connect to database,
            will retry again after 10 sec

______________


3.
Verify account status from database
SQL> select * from dba_users where username like ‘ODS’;

ODS                                    42
EXPIRED(GRACE)                             19-SEP-10
OLTS_DEFAULT                   TEMP                           05-MAR-10
DEFAULT                        DEFAULT_CONSUMER_GROUP

10G 11G  N

.
Fix : Reset password using oidpasswd

1.export ORACLE_HOME=/oracle/apps/Middleware/Oracle_IDM1 (Change location as per your ORACLE_HOME)
2. On database reset password of ODS schema –
SQL>alter user ods identified by [new_password];
Check password column, it should not be locked or expired
SQL>select * from dba_users where username like ‘ODS’;

2. $ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB change_oiddb_pwd=true

current password : [password updated using sqlplus command] new password : [new password] new password : [new password]

Replication password file exists
password set
This command will reset password in database (ods schema) and middle tieon OID node ( $ORACLE_INSTANCE/OID/admin/oidpwdXXXXXX )

Now start OID using opmnctl

.
Q: How to reset ODS/ODSSM database profile from lock after 180 days to no lock ?
SQL> ALTER PROFILE ODS LIMIT PASSWORD_LIFE_TIME UNLIMITED;
SQL> ALTER PROFILE ODSSM LIMIT PASSWORD_LIFE_TIME UNLIMITED;

.

Related/References

  • How to change OID Database Password 
  • 1064334.1 – OID does not start, log shows ORA-28002 the password will expire
  • 1134954.1 – Error in Managed WebLogic Server Log – ORA-28001: the password has expired
     

About the Author Masroof Ahmad

Leave a Comment:

48 comments
Add Your Reply