orcladmin password expired???

Beginning with OID version 9.0.4, the default value for Password Expiry Time is set to 5184000 (60 days). Unless you have changed the default password policies from the installation defaults, exactly 60 days from the date of installation all passwords will automatically expire. Furthermore, if you keep trying to login using the old password, there exists the possibility that you will exceed the max grace logins exceeded, and consequently the account becomes locked.

To clarify the fact that the superuser, cn=orcladmin ldapbind succeeds you need to understand the following:

1. There are 2 orcladmin accounts, the superuser account, cn=orcladmin and the REALM administrator cn=orcladmin. For example cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and you cannot see it in the Oracle Directory Manager nor the Oracle Directory Services Manager in 11g.

3. When you login to OIDDAS the REALM administrator account is the one that is being used. Since this user account exists within the REALM it is also under control of the default password policies.

Solution:

Step 1. If the superuser, cn=orcladmin account is locked, use the oidpasswd utility to unlock the super user orcladmin account, for example:
$ oidpasswd connect=asdb unlock_su_acct=true

This unlocks the OID Super User account, cn=orcladmin ONLY. Do not confuse this account with the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. Again, they are two separate accounts. After resetting the orcladmin super user account, you will still not be able to login to SSO using the orcladmin account until you complete all steps in this document. Do not reset any other account passwords at this time (on this step).

Step 2. Launch the Oracle Directory Manager Console (or the ODSM for 11g).

Pre-11g:
on Unix, type oidadmin at the unix prompt
on Windows, Start->Programs->Oracle - SID->Integrated Management Tools/Oracle Internet Directory

11g:
Open a browser to the Oracle Fusion Middleware Enterprise Manager.
Select the OID instance
Click the OID dropdown list in the right frame
Select Oracle Directory Services Manager

Step 3. Login as "cn=orcladmin" and navigate to Password Policy Management area.
Edit each of these and change the pwdmaxage to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
999999999 = never expire

Note: Realm policies can be different than the root policy, so if in doubt change both policies the first time, then change the realm policy one to different values as desired.

Step 4. Launch Oracle Directory Manager (or ODSM if 11g as previously described) and navigate to Entry Management and the Users container under your default realm (for example:
cn=orcladmin,cn=users,dc=oracle,dc=com)
Reset the UserPassword field by entering a new value.

After you have changed the cn=orcladmin for the REALM, you should be able to login to SSO/OIDDAS and reset/change any user passwords that have expired or are locked.

Note: at 11g there is not SSO nor OIDDAS, but you can still use the ODSM to reset user passwords.

Pre-11g Only
Rerun the odisrvreg utility to reset the DIP randomly generated password, for example:
odisrvreg -D cn=orcladmin -w -p 3060
Already Registered...Updating DIS password...
DIS registration successful

If you are unsure of your OID Port, check $ORACLE_HOME/install/portlist.ini file, which shows the ports at install time.

The above information have been collected from metalink.oracle.com