Skip to main content

Hi,

I have configured my Apps9 middleware server to user LDAP (on-prem) Active Directory. The AD password works fine and users can login using their AD account. However, the issue arises when oracle accounts get locked and expire, users cannot then login with their AD credentials.

 

Is the recommended practise to change oracle profiles so passwords never expire and accounts never lock, or should I be doing something different.

Hi,

You are correct. If you would like to manage user password policy through LDAP, you can switch Oracle user accounts to never expire.

By default, standard (Oracle) users are connected to the DEFAULT profile which has a Password Life Time set to 180 days.

Option 1 - You change this value to be UNLIMITED 

Option 2 - You can create a custom profile with PASSWORD_LIFE_TIME set to UNLIMITED and switch all your IFS users to point to the new profile.

Please make sure not to make any changes to IFS* System Users, as these account should be pointing to IFS_INTERNAL profile and will bypass LDAP authentication. 


You can certainly change the assigned Oracle profile(s) for these users to not expire, but be careful that you do not leave yourself vulnerable to direct Oracle access where weak or default passwords never expire or change.  In that case someone could indefinitely access your DB directly (i.e. not through the IFS interface) using those Oracle accounts.

I forget the exact details but normal user accounts (you wouldn’t want to do it for some system accounts) can be prevented from directly connecting to Oracle at the DB level. Check the technical documentation for details.  If you can’t find it let me know and I’ll see if I can track it down for you.

Nick


Reply