Resetting a forgotten itim manager password

Answer

The "itim manager" password has been forgotten, and there are no other Administrator accounts available to login to ITIM - how can I login? There are a few ways to resolve this:

1. If Challenge/Response has been setup, then you can reset the password from the ITIM login page by filling in the userid field with "itim manager", and clicking the "Forgot your password?" link. After answering the questions correctly, you will be able to login. This link is not available if Challenge/Response has not been configured.

2. If there is another ISIM account that you do have the password for, then you can work with the LDAP objects to copy that value from the existing account to the "itim manager" account, and it will then have a known password. Please contact IBM Support if you need assistance with this.

3. If this is a brand new install, then another option is to run ldapConfig again to reset the "itim manager" password back to "secret". As this will update other default objects as well, this should not be used on a system already in production, nor even an upgrade.

*** Note: The following method does NOT apply to ISIM 6.x and higher ***

4. If you have administrator access to LDAP, you can remove the password attribute from the "itim manager" account. This will allow you to login to ITIM with an empty password, where you can then reset it to a known value. To remove the password attribute, create a file with the following contents:

dn: eruid=ITIM Manager,ou=systemUser,ou=itim,ou=ibm,dc=com
changetype: modify
delete: erpassword

The last two parts of the DN will be different at each site. They correspond to the following lines in the enRole.properties file:
enrole.defaulttenant.id=ibm
enrole.ldapserver.root=dc=com

Then run the following command:
ldapmodify -D <admin_id> -w <admin_password> -h <ldap_host> -p <port> -f <path to the ldif file created above>

e.g.
ldapmodify -D cn=root -w password -h localhost -p 389 -f reset.ldif

Be sure to use the correct connection values for your environment. All of this information is available in the enRoleLDAPConnection.properties file, though the admin password may be encrypted depending on your configuration. You can use $ITIM_HOME/bin/runConfig to temporarily decrypt the passwords if necessary. On the Security tab, uncheck the "Encrypt Passwords" checkbox, then click Apply. Enable the checkbox again after you have recovered the LDAP admin password.