RE: Password management using profiles
Yup..we just added the functionalty to the verify_password functionwala. Brian S. -Original Message- [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 5:59 PM To: Multiple recipients of list ORACLE-L You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password
Re: Password management using profiles
On 01/21/2004 02:54:25 PM, Spears, Brian wrote: Yup..we just added the functionalty to the verify_password functionwala. Brian S. Brian, are you related to the young lady named Britney and whose marriage was shorter then the average transaction on my database? She happens to have the same last name as you. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password management using profiles
Thanks for your reponses. We're working on make these changes now. Ana E. Choto American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Spears, Brian [EMAIL PROTECTED] rands.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/21/2004 02:54 RE: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com Yup..we just added the functionalty to the verify_password functionwala. Brian S. -Original Message- [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 5:59 PM To: Multiple recipients of list ORACLE-L You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site
Re: Password management using profiles
On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password policies as soon as possible, but upper management doesn't want me to do it until we can display the information regarding password status. Users may be at a loss if they just see the login screen resetting without knowing why, and our Help Desk would be inundated with calls. So, let me make things straight: the problem is happening only when they attempt to access the database through the web? What authorization mechanism are you using on the web? JSP? ASP? CGI? EJB? The part that performs user authentication should be cabable of detecting the error, just like SQL*Plus is. Oracle support is probably right. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password management using profiles
We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.comTo Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password policies as soon as possible, but upper management doesn't want me to do it until we can display the information regarding password status. Users may be at a loss if they just see the login screen resetting without knowing why, and our Help Desk would be inundated with calls. So, let me make things straight: the problem is happening only when they attempt to access the database through the web? What authorization mechanism are you using on the web? JSP? ASP? CGI? EJB? The part that performs user authentication should be cabable of detecting the error, just like SQL*Plus is. Oracle support is probably right. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California--
Re: Password management using profiles
You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.comTo Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web
