SysGenius-e-Log: Identity

Have you ever had situation that you needed to execute a command for Oracle Directory Server which required root/Directory Manager's password and the password you had just did not work? I encountered one today and had to scramble to find a solution to reset it. 'pwdhash' tool that comes with Oracle Directory Server rescued me. Here is what I did:

Before resetting the password, you may want to try few of your guesses. Here is how you do it. Get the actual root/Directory Manager's password from dse.ldif file. It's with attribute 'nsslapd-rootpw:' something like: nsslapd-rootpw: {SSHA256}WYChc/pNA34fD8RKo//ReBCsGstkz0Ux54gfsMaruXhMP89tAnMtd

Then compare each of your guess with the encrypted password from dse.ldif using 'pwdhash'. It has option to compare '-c'. Below is how you do it. If password matches, you'll get message "password ok." otherwise "password does not match." is displayed.

./pwdhash
                    -D <instance-location> -c "<encrypted-password>"
                    <your-guess-password>

                    # Actual example from my ODS instance

                  $>cd

/opt/ods/dsee7/bin

$>./pwdhash -D
                  /opt/ods/dsee7/instances/dsInst2 -c
                  "{SSHA256}WYChc/pNA34fD8RKo//ReBCsGstkz0Ux54gfsMaruXhMP89tAnMtd"
                  myPassw0rd

                  ./pwdhash: password does not match.

If none of your guess matches then it's time to reset the password hard way. Here is how to do it:

#
                    Stop your Oracle Directory Instance

$>cd /opt/ods/dsee7/bin

                    $>./dsadm stop /opt/ods/dsee7/instances/dsInst2

                    Directory Server instance '/opt/ods/dsee7/instances/dsInst2'
                    stopped

                    

                    # Generate the encrypted password

$>./pwdhash
                  -D /opt/ods/dsee7/instances/dsInst2 -s SSHA256 myPassw0rd

{SSHA256}qOjAyposbx1LzM/LB4vk1ZKS2yNs2Oh0yDjo66GIjnMpIVMJMhi6fw==

Take the generated encrypted password from step #3 and replace the value of attribute 'nsslapd-rootpw:' in dse.ldif file and save it.

Restart the Oracle Directory Instance.

#
                    Start your Oracle Directory Instance

$>cd /opt/ods/dsee7/bin

                    $>./dsadm start /opt/ods/dsee7/instances/dsInst2

                    Directory Server instance '/opt/ods/dsee7/instances/dsInst2'
                    started: pid=2982

That's it, password reset is done in hard way!!!

However in future, if you just want to change the root/Directory Manager's password, you can use the 'dsconf' command with 'set-server-prop' option. Below is more detail:

#
                Put new password in a temporary file.

$>echo "_0d3mG4_" >
                  /tmp/odspwd.txt

                  # Now run the 'dsconf' command. You need to provide current
                  password for Directory Manager when it prompts

                  $>./dsconf set-server-prop -h localhost -p 1489
                  root-pwd-file:/tmp/odspwd.txt 

                  Enter "cn=Directory Manager" password:

SysGenius-e-Log

Pages

Reset Oracle Directory Manager's Password