I have an Oracle Identity 11g environment running on VirtualBox 4.0. This is a development environment that I use to test out various installations and configurations. I noticed the other day that I wasn’t able to start the Oracle Internet Directory (OID) instance.
When I checked the log file I can see that I am not able to connect to the Database. By the way, the log that is referenced doesn’t show anything of value. The log that actually contained the error is called: oidmon-0000.log
According to ora-code.com ora-28000 the error means that the user account that is connecting to the database ‘ODS’ is locked.
ORA-28000:
the account is locked Cause: The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account Action: Wait for PASSWORD_LOCK_TIME or contact DBA
It’s typically trivial to unlock an account from the sqlplus command line
So, we should be good now. I will try to start the process again.
But now my log shows
So, now I am getting an ORA-01017 error. Which means “Invalid username/password”. So, it seems that the Database doesn’t like the password that OID is supplying to connect to the ODS schema.
I’ll use SQL Developer to try and connect to the database with the ODS user
Interesting, SQL Developer is showing an ORA-28000 error.
Let’s try connecting using SQLPlus …
So, it seems we have a consensus (and yes, I did just include my password in the screenshot … it doesn’t matter)
Let’s see what the database has to say about this user. Make sure you reconnect to the DB as oracle.
Ok, didn’t we just unlock it? Let’s try again …
So, now what is the status?
Hey! This is good right? … the account seems to be open again.
So, let’s try to start OID again.
Ok, this is looking pretty ugly right about now…
… and the account is locked again. So, let’s see if we can figure out why this is happening.
Maybe the wallet that holds the ODS password for OID has become corrupt. We can recreate it using oidpasswd.
Note: Before you run oidpasswd it’s important to have your Oracle environment set up correctly. Here is what I am using (yours may vary):
ORACLE_SID=orcl
ORACLE_BASE=/opt/oracle
ORACLE_INSTANCE=/opt/oracle/Middleware/asisnt_1
ORACLE_HOME=/opt/oracle/Middleware/Oracle_IDM1
MW_HOME=/opt/oracle/Middleware
Now with this output … I have verified the location of the tnsnames.ora file and the information in it … so I am going to assume for the moment that the issue is with the password (at least until I prove otherwise).
Typically, changing the password will unlock the account
But here we are and the account is still locked.
… I am spending some time just fishing around on the Internet and looking around at my system
Wait a second … I wasn’t even thinking about ODSSM …
Change the ODSSM’s password and then unlock ODS.
So, both accounts should now be “OPEN”
Now restart the OIDMON process
What does the log say
Completely different error this time. At least I feel like we are making some progress …
hmmm … if the wallet can’t be read … maybe we can recreate the wallet. Let’s re-run the “create wallet” command that we tried earlier.
Hey! … it was successful this time. So, let’s try starting the OID processes
That was successful!
Now to check the status of the OPMN Processes
All of the OID related processes are now Alive. The ohs1 process is down because I turned it off earlier.
Pingback: Tweets that mention Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP « Identity & Access Management Journal -- Topsy.com
Nice post, Brad. We had the same issue the other day and it looks to be that the all users in 11g databases are by default assigned to a profile “DEFAULT” which has a 90 day password life time. The passwords for the accounts expire after 90 days and a 7 day grace period after which the accounts get locked. We have used the following to rectify the issue.
To identify the users having DEFAULT as their profile:
select username, profile from dba_users;
To set the Password Life Time:
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME UNLIMITED;
Thanks
Ramesh
Great post – I needed to execute the oidpasswd to create a new wallet – can now connect to OID through ODs schema
Thanks
Gina
I need oid
I’m not sure I understand your question. Are you looking to purchase oracle internet directory?
Not able to see screenshots
Hi, Brad.
I have an issue with my OID, initially it was showing an error that password is expired. The DBA removed the expiration (user is as OPEN) and changed the password of ODSSM user directly in the database. After that I’ve encrypted this password and replaced it in the XML file for the datasource, but after that the log says “ORA-28000: the account is locked” and in the databse user is still as OPEN.
I`ve tried to run the oidpasswd to create a new wallet and to reset password, but I always receive this error (the environment variables you’ve mentioned are set correctly):
Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from ORACLE_INSTANCE) or Incorrect TNS Connect string or Invalid Password
Can you help me with this issue, please?
Obs.: your screenshots are not available.
Thanks.
Daniel