Friday, October 23, 2015

Enable / Disable SSO login for any particular user in OID

In our project there was requirement to temporarily disable SSO login for particular user. To achieve this follow below steps:


DISBALE SSO Login:


Step 1) Create a sso_disable.ldif with following content:

dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com  
changetype: modify
replace: orclisenabled
orclisenabled: DISABLED


Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_disable.ldif

replace orclisenabled:
DISABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete

While checking ldapbind for above user , you will get below error
$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com" -w abc1234
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.

If you login to any protected resource(with OAM) with above login id,you will get below error in oam_server log
<<
<Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : My_user, for idstore FUSION-OID with exception The account has been disabled with primary error message [LDAP: error code 53 - Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
>>

To enable login follow below steps:

ENABLE SSO Login:


Step 1) Make a sso_enable.ldif with the following content:

dn: cn=My_user,cn=users,dc=au,dc=oracle,dc=com  
changetype: modify
replace: orclisenabled
orclisenabled: ENABLED


Step 2) Go to below mentioned location and execute below command:
$ORACLE_HOME/bin
$./ldapmodify -h <OID hostname> -p <OID port> -D cn=orclamdin -w <password> -v -f sso_enable.ldif

replace orclisenabled:
ENABLED
modifying entry cn=My_user,cn=users,dc=au,dc=oracle,dc=com
modify complete

While checking ldapbind for above user , you will get below eoutput:
bash-3.2$ ./ldapbind -h <OID hostname> -p <OID port> -D "cn=My_user,cn=users,dc=au,dc=oracle,dc=com  " -w abc1234
bind successful

No comments:

Post a Comment

Other Posts