In our project there was requirement to temporarily disable SSO
login for particular user. To achieve this follow below steps:
Step 1) Create a sso_disable.ldif with following content:
dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com
changetype: modify
replace: orclisenabled
orclisenabled: DISABLED
Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_disable.ldif
replace orclisenabled:
DISABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete
While checking ldapbind for above user , you will get below error
$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com" -w abc1234
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
If you login to any protected resource(with OAM) with above login id,you will get below error in oam_server log
<<
<Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : My_user, for idstore FUSION-OID with exception The account has been disabled with primary error message [LDAP: error code 53 - Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
>>
To enable login follow below steps:
Step 1) Make a sso_enable.ldif with the following content:
dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com
changetype: modify
replace: orclisenabled
orclisenabled: ENABLED
Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_enable.ldif
replace orclisenabled:
ENABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete
While checking ldapbind for above user , you will get below eoutput:
bash-3.2$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com " -w abc1234
bind successful
DISBALE SSO Login:
dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com
changetype: modify
replace: orclisenabled
orclisenabled: DISABLED
Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_disable.ldif
replace orclisenabled:
DISABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete
While checking ldapbind for above user , you will get below error
$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com" -w abc1234
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
If you login to any protected resource(with OAM) with above login id,you will get below error in oam_server log
<<
<Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : My_user, for idstore FUSION-OID with exception The account has been disabled with primary error message [LDAP: error code 53 - Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
>>
To enable login follow below steps:
ENABLE SSO Login:
Step 1) Make a sso_enable.ldif with the following content:
dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com
changetype: modify
replace: orclisenabled
orclisenabled: ENABLED
Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_enable.ldif
replace orclisenabled:
ENABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete
While checking ldapbind for above user , you will get below eoutput:
bash-3.2$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com " -w abc1234
bind successful
No comments:
Post a Comment