Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP

I have an Oracle Identity 11g environment running on VirtualBox 4.0. This is a development environment that I use to test out various installations and configurations. I noticed the other day that I wasn’t able to start the Oracle Internet Directory (OID) instance.

Screen shot 2011-01-26 at 2.21.25 PM.png

When I checked the log file I can see that I am not able to connect to the Database. By the way, the log that is referenced doesn’t show anything of value. The log that actually contained the error is called: oidmon-0000.log

Screen shot 2011-01-26 at 2.23.11 PM.png

According to ora-28000 the error means that the user account that is connecting to the database ‘ODS’ is locked.


the account is locked
Cause: The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
Action: Wait for PASSWORD_LOCK_TIME or contact DBA

It’s typically trivial to unlock an account from the sqlplus command line

Screen shot 2011-01-26 at 2.29.30 PM.png

So, we should be good now. I will try to start the process again.

Screen shot 2011-01-26 at 2.30.42 PM.png

But now my log shows

Screen shot 2011-01-26 at 2.31.14 PM.png

So, now I am getting an ORA-01017 error. Which means “Invalid username/password”. So, it seems that the Database doesn’t like the password that OID is supplying to connect to the ODS schema.

I’ll use SQL Developer to try and connect to the database with the ODS user

Screen shot 2011-01-26 at 2.38.10 PM.png

Interesting, SQL Developer is showing an ORA-28000 error.

Let’s try connecting using SQLPlus …

Screen shot 2011-01-26 at 2.42.11 PM.png

So, it seems we have a consensus (and yes, I did just include my password in the screenshot … it doesn’t matter)

Let’s see what the database has to say about this user. Make sure you reconnect to the DB as oracle.

Screen shot 2011-01-26 at 2.52.15 PM.png

Ok, didn’t we just unlock it? Let’s try again …

Screen shot 2011-01-26 at 3.00.20 PM.png

So, now what is the status?

Screen shot 2011-01-26 at 3.01.39 PM.png

Hey! This is good right? … the account seems to be open again.

So, let’s try to start OID again.

Screen shot 2011-01-26 at 3.15.29 PM.png

Ok, this is looking pretty ugly right about now…

Screen shot 2011-01-26 at 3.16.38 PM.png

… and the account is locked again. So, let’s see if we can figure out why this is happening.

Maybe the wallet that holds the ODS password for OID has become corrupt. We can recreate it using oidpasswd.

Note: Before you run oidpasswd it’s important to have your Oracle environment set up correctly. Here is what I am using (yours may vary):






Screen shot 2011-01-26 at 4.14.39 PM.png

Now with this output … I have verified the location of the tnsnames.ora file and the information in it … so I am going to assume for the moment that the issue is with the password (at least until I prove otherwise).

Typically, changing the password will unlock the account

Screen shot 2011-01-26 at 4.37.18 PM.png

But here we are and the account is still locked.

… I am spending some time just fishing around on the Internet and looking around at my system

Screen shot 2011-01-26 at 5.08.25 PM.png

Wait a second … I wasn’t even thinking about ODSSM …

Screen shot 2011-01-26 at 5.11.50 PM.png

Change the ODSSM’s password and then unlock ODS.

Screen shot 2011-01-26 at 5.13.24 PM.png

So, both accounts should now be “OPEN”

Screen shot 2011-01-26 at 5.15.48 PM.png

Now restart the OIDMON process

Screen shot 2011-01-26 at 5.17.41 PM.png

What does the log say

Screen shot 2011-01-26 at 5.18.12 PM.png

Completely different error this time. At least I feel like we are making some progress …

hmmm … if the wallet can’t be read … maybe we can recreate the wallet. Let’s re-run the “create wallet” command that we tried earlier.

Screen shot 2011-01-26 at 5.29.48 PM.png

Hey! … it was successful this time. So, let’s try starting the OID processes

Screen shot 2011-01-26 at 5.31.59 PM.png

That was successful!

Now to check the status of the OPMN Processes

Screen shot 2011-01-26 at 5.33.09 PM.png

All of the OID related processes are now Alive. The ohs1 process is down because I turned it off earlier.

7 thoughts on “Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP”

  1. Pingback: Tweets that mention Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP « Identity & Access Management Journal --

  2. Nice post, Brad. We had the same issue the other day and it looks to be that the all users in 11g databases are by default assigned to a profile “DEFAULT” which has a 90 day password life time. The passwords for the accounts expire after 90 days and a 7 day grace period after which the accounts get locked. We have used the following to rectify the issue.

    To identify the users having DEFAULT as their profile:
    select username, profile from dba_users;

    To set the Password Life Time:


  3. Great post – I needed to execute the oidpasswd to create a new wallet – can now connect to OID through ODs schema

  4. Hi, Brad.

    I have an issue with my OID, initially it was showing an error that password is expired. The DBA removed the expiration (user is as OPEN) and changed the password of ODSSM user directly in the database. After that I’ve encrypted this password and replaced it in the XML file for the datasource, but after that the log says “ORA-28000: the account is locked” and in the databse user is still as OPEN.

    I`ve tried to run the oidpasswd to create a new wallet and to reset password, but I always receive this error (the environment variables you’ve mentioned are set correctly):

    Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from ORACLE_INSTANCE) or Incorrect TNS Connect string or Invalid Password

    Can you help me with this issue, please?

    Obs.: your screenshots are not available.



Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top