Populate Orcllastlogintime for Users by Enabling Track Last Login Time OID 11.1.1.4 and later

Check if orclpwdtracklogin is set in the realm.

Issue the following ldapsearch on the password policy for the realm.

ldapsearch -h OIDhost -p OIDport -D cn=orcladmin -w pwd -b 

"cn=default,cn=pwdpolicies,cn=common,cn=products,cn=oraclecontext,%Default Realm%" -s base "objectclass=*" orclpwdtracklogin

Example:

ldapsearch -h myServer.oracle.com -p 3060 -D cn=orcladmin -w welcome1 -b "cn=default,cn=pwdpolicies,cn=common,cn=products,cn=oraclecontext,dc=us,dc=oracle,dc=com" -s base "objectclass=*" orclpwdtracklogin

If orclpwdtracklogin returns with 1, Track last login time is enabled in the password policy for this realm.
If orclpwdtracklogin returns with 0 or no return, Track last login time is disabled in this password policy for this realm.

To enable, create a text file (for example :track.ldif)

with the following

dn: cn=default,cn=pwdpolicies,cn=common,cn=products,cn=oraclecontext,%Default Realm%
changetype: modify
add: orclpwdtracklogin
orclpwdtracklogin: 1

Example:

dn: cn=default,cn=pwdpolicies,cn=common,cn=products,cn=oraclecontext,dc=us,dc=oracle,dc=com
changetype: modify
add: orclpwdtracklogin
orclpwdtracklogin: 1

Run ldapmodify

ldapmodify -h OIDhost -p OIDport -D cn=orcladmin -w pwd -f track.ldif

Example:
 ldapmodify -h myServer.oracle.com -p 3060 -D cn=orcladmin -w welcome1 -f track.ldif

Issue the search from step 1 again to confirm orclpwdtracklogin returns a value of 1.

Stop and restart OID

Bind as a user that resides under the realm of the password policy you've modified.

Example:

ldapbind -h myServer.oracle.com -p 3060 -D "cn=John.Smith,cn=users,dc=us,dc=oracle,dc=com" -w Mysecretpwd123

Ldapsearch the user to view the orcllastlogintime attribute


Example:

ldapsearch -h myServer.oracle.com -p 3060 -D cn=orcladmin -w welcome1 -b "cn=John.Smith,cn=users,dc=us,dc=oracle,dc=com" -s sub "objectclass=*" orcllastlogintime

 Expected output will look similar to this example:

ldapsearch -h myServer.oracle.com -p 3060 -D cn=orcladmin -w welcome1 -b "cn=John.Smith,cn=users,dc=us,dc=oracle,dc=com" -s sub "objectclass=*" orcllastlogintime

cn=John.Smith,cn=Users,dc=us,dc=oracle,dc=com
orcllastlogintime=20110919151040z

UseFul LDAP queries

Creating users in OID with LDIF scripts:
command: ldapadd -c -h servername -p 389 -D cn=orcladmin -w myPassword -f createUsers.ldif
script:
cn=jdoe,cn=Users,dc=myDivision,dc=myCompany
cn=jdoe
sn=jdoe
objectclass=top
objectclass=person
objectclass=organizationalPerson
objectclass=inetorgPerson
objectclass=orclUserV2
description=John Doe
userpassword=welcome2011
mail=john.doe@mycompany.com

Creating groups in OID with LDIF scripts:
command: ldapadd -c -h servername -p 389 -D cn=orcladmin -w myPassword -f createGroups.ldif
script:
cn=MyGroup,cn=groups,dc=myDivision,dc=myCompany
cn=MyGroup
objectclass=top
objectclass=orclGroup
objectclass=groupOfUniqueNames
owner=cn=orcladmin
displayname=MyGroup
description=My Script Created Group
orclisvisible=true

Remove members from groups in OID with LDIF scripts:
command: ldapmodify -c -h servername -p 389 -D cn=orcladmin -w myPassword -f removeMembersFromGroup.ldif
script:
dn: cn=myGroup,cn=groups,dc=myDivision,dc=myCompany
changetype: modify
delete: uniquemember

Add members to groups in OID with LDIF scripts:
command: ldapmodify -c -h servername -p 389 -D cn=orcladmin -w myPassword -f addMembersToGroup.ldif
script:
dn: cn=myGroup,cn=groups,dc=myDivision,dc=myCompany
changetype: modify
add: uniquemember
uniquemember: cn=jdoe,cn=Users,dc=myDivision,dc=myCompany
uniquemember: cn=user2,cn=Users,dc=myDivision,dc=myCompany
uniquemember: cn=user3,cn=Users,dc=myDivision,dc=myCompany

Disable users in OID with LDIF scripts:
command: ldapmodify -c -h servername -p 389 -D cn=orcladmin -w myPassword -f DisableUsers.ldif
script:
cn=jdoe,cn=Users,dc=myDivision,dc=myCompany
changetype: modify
orclisenabled :DISABLED

Weblogic Password Decrypt script

Copy the below python script as PasswordDecryption.py

import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService
def decrypt(domainHomeName, encryptedPwd):
domainHomeAbsolutePath = os.path.abspath(domainHomeName)
encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeName)
ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
clear = ces.decrypt(encryptedPwd)
print "RESULT:" + clear
try:
if len(sys.argv) == 3:
decrypt(sys.argv[1], sys.argv[2])
else:
print "INVALID ARGUMENTS"
print " Usage: java weblogic.WLST decryptPassword.py DOMAIN_HOME ENCRYPTED_PASSWORD"
print " Example:"
print " java weblogic.WLST decryptPassword.py D:/Oracle/Middleware/user_projects/domains/base_domain {AES}819R5h3JUS9fAcPmF58p9Wb3syTJxFl0t8NInD/ykkE="
except:
print "Unexpected error: ", sys.exc_info()[0]
dumpStack()
raise

Usage:

./wlst.sh <PATH_OF ATTACHED FILE>  <WLDOMAIN_HOME> <EncryptedPassword>

e.g.

./wlst.sh /tmp/PasswordDecryptor.py <MIDDLEWARE_HOME>/user_projects/domains/<IDM DOMAIN>  {AES}YJKUITRFGTYUHH45YHHGGYFV879655HYU\=

Reverting Sandbox in OIM11g

1.       This requires weblogic admin user and password. Please open a DSO with below steps for engineering. 2.       Login to EM console by using http://admin_server_hostname:port/em 3.       On left menu Go to Application Deployments àoracle.iam.console.identity.self-service.ear(V2.0) (oim_cluster)à oracle.iam.console.identity.self-service.ear(V2.0) (oim_server1) 4.       On Application Deployment go to MDSConfiguration and scroll to end of the page. 5.       At the bottom page under advanced configuration click on Runtime MBean Browser 6.       On next page click on Operations tab. 7.       Scroll down to find and Click on listMetadataLables. Ensure you click on the link which has 0 parameter As highlighted below. 8.       On next page click Invoke 9.       On next page copy text for entry to last successful import to which you want to rollback - PostMerge_<last successful import> and put on a notepad. After copying Click Return on this screen. 10.   On next page click on promoteMetadataLabel. Ensure you click on link which has 1 parameter as highlighted below. 11.   On next page provide value as what you have copied on step 8 above - PostMerge_<last successful import> Ensure success message on top of page appears. 12.   Request Engineering to restart only OIM Server – oim_server1. 13.   After restart Before importing any sandbox. Login to identity console – https://<oim_host>/oim and ensure create user and modify user pages are coming fine.