Thursday, June 6, 2019

LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password

Resolving LDAP Error Code 49: Password Expired for Fusion Applications

If you're managing Oracle Fusion Applications and encounter the following error in your managed server logs or during an LDAP bind operation, this post walks you through the root cause and resolution using Oracle Directory Services Manager (ODSM).

Root Cause

This error typically indicates that the LDAP user's password has expired due to the defined password policy. In the case of Oracle Fusion Applications, users like PolicyRWUser must remain active for integration and application processes to function properly


[oracle@fahmid bin]$ ldapbind -D cn=PolicyRWUser,cn=Users,dc=oasiserp,dc=com -w password-h fahmid.domainname.com -p 389

ldap_bind: Invalid credentials
ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.

[oracle@fahmid bin]$


Resolution via ODSM (Oracle Directory Services Manager)

Step 1: Log in to ODSM

  • Open Oracle Directory Services Manager (usually accessed via WebLogic or OID interface).

  • Navigate to the correct LDAP realm where the user resides (e.g., dc=oasiserp,dc=com).

Step 2: Search for the User

  • Use the Data Browser tab.

  • Expand the Users container.

  • Search for the user account (e.g., PolicyRWUser).

Step 3: Modify Password Policy or Reset Password

You have two options:

Option 1: Reset the User’s Password

  1. Go to the Attributes tab.

  2. Scroll to userPassword.

  3. Click the green plus icon to reset the password.

  4. Click Apply.

This will re-enable the account for use.

 Option 2: Update the Password Policy

If the account is a service or integration account and shouldn’t expire:

  1. Navigate to the Password Policy Configuration under the domain node.

  2. Set the policy to disable password expiration or extend the duration.

  3. Apply the changes and restart the necessary services if needed.


After resetting the password or updating the policy:


[oracle@fahmid bin]$ ldapbind -D cn=PolicyRWUser,cn=Users,dc=oasiserp,dc=com -w password-h fahmid.domainname.com -p 389
bind successful
[oracle@fahmid bin]$


Conclusion

The LDAP error code 49 with GSL_PWDEXPIRED_EXCP is a common occurrence when a password policy triggers expiration. For Fusion Applications, service accounts like PolicyRWUser must always remain active. By resetting the password or adjusting the policy in ODSM, you can quickly restore functionality.

Pro Tip: Always monitor key integration accounts and consider excluding them from expiration policies if they’re used in automated processes.


Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)