As part of the default DIT creation, several highly privileged users are created that should be secured before putting the directory into production.

cn=orcladmin

One of the first accounts to secure is the Oracle Internet Directory Super User, cn=orcladmin. I generally use the GUI Java application, Oracle Directory Manager. First, login to the Oracle Directory Manager application as the Directory Super User (cn=orcladmin). The default password for this user is welcome. After successfully logging into the directory, use the navigation menu (the tree menu on the left) and click on the entry directly below the very top entry (Oracle Internet Directory Servers). This entry will be the one that is your current connection with the LDAP directory. For my example, this entry is labeled: "cn=orcladmin@alex:389" as show below. After clicking on this entry, you will be presented with a tabbed window in the content pane (the right pane). From here, click on the tab named "System Passwords". To change the password of the Directory Super User, click on the password text field named "Super User Password", change the password and click the "Apply" button.

OID Database Schema Owner

The Oracle Internet Directory runs on an Oracle database and creates two database users: ODS and ODSCOMMON. ODS is the schema owner that contains all of the database objects (tables, views, objects, etc.) used for OID functionality and directory storage. When the OID needs to login to the database, it uses the ODS database account which has a default password of ODS. You should secure this database user account before putting the LDAP directory into production.

Using the OID Database Password Utility

The DBA can change this password by using the OID Database Password Utility (included with the OID installation). The following example uses this utility to change the database password for ODS:

# $ORACLE_HOME/bin/oidpasswd
current password: ods
    new password: new_secret_password
confirm password: new_secret_password
password set.

How oidpasswd Works

The oidpasswd utility connects as the ODSCOMMON user and uses the role ODS_SERVER with the original password to perform the following:

1. Changes the password for the ODS user for the OID schema database.
2. Updates the SYSTEM.ODSINSTANCES table with the new, encrypted password for ODS.
3. Changes the password for the ODS_SERVER role to the new password.
4. Updates the $ORACLE_HOME/ldap/admin/oidpwdr file with the encrypted password.

NOTE: Some Oracle OID patches and scripts may assume the user ODS/ODS. It is advised to change the password for ODS back to its default of ODS during application of patches or when running OID scripts.

But what about ODSCOMMON?

When connecting to the database schema, the OID executables, such as oidctl or oidldapd servers connect as the database user ODSCOMMON. The password for ODSCOMMON is ODSCOMMON, and that password cannot be changed. It is hardcoded in the executables and changing it on the database level will cause an ORA-01017 error. There is no security risk, however, not being able to change the ODSCOMMON password, as it has only CONNECT privilege. Once connected as ODSCOMMON, the executable will obtain the privileges it needs via the role ODS_SERVER, which is protected by the ODS password. The password is obtained by the executable from the SYSTEM.ODSINSTANCES table. This is the password encrypted and set by the oidpasswd utility.