We're using pl/sql gateway and the Apache server. We've set up a default
DAD on the gateway configuration screen, the connect string is our server
name. Basic authentication, Package/Session Management Type:
Stateless(Reset Package State).
I've tried the profile by setting up a test user and expiring the account.
If I go to sqlplus and log in with the expired user account sqlplus prompts
me for a new password. I don't have a problem with that, but you know how
users are, they wouldn't figure out why. And management wants users to
receive a message telling them why they have to change their passwords
without going through the Help Desk.
My guess is that a pl/sql package has to be written so users get their
password check at login time and receive messages such as the number of
days they have before the password expires, or that the password is
actually expired.
Thanks
Ana E. Choto
Systems Programmer
American University
e-Operations - Information Technology
Phone (202) 885-2275
Fax (202) 885-2224
Mladen Gogala
<[EMAIL PROTECTED]
ng.com> To
Sent by: Multiple recipients of list
[EMAIL PROTECTED] ORACLE-L <[EMAIL PROTECTED]>
.com cc
Subject
01/20/2004 03:24 Re: Password management using
PM profiles
Please respond to
[EMAIL PROTECTED]
com
On 01/20/2004 02:34:45 PM, Ana Choto wrote:
>
>
>
>
> I have set up a profile where the passwords expire in 30 days, 6
> characters
> minimum, grace period before the account locks to 6 days. It works
> as
> expected when the user logs in to our web site and tries to change
> the
> password. Users receive error messages whenever their password
> doesn't
> comply with the rules we have set up in the profile. We use the
> verify_function.
>
> The only problem I have is that when the users go to our web site
> they
> are
> presented with a login screen. If their account is locked or
> expired,
> or
> it is within the grace period before the account expires they don't
> receive
> a message to that account. If the account is expired the login
> screen
> resets and prompts for user id and password over and over.
>
> I have opened a TAR wit Oracle support, but they don't have an answer
> to
> that effect. They say it is an application issue. I've researched
> everywhere I could think of and everything I have found is the same,
> use
> profiles and the verify_function function. I've also read the
> documentation regarding password management, but I couldn't find
> anything
> of help.
>
> Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS
> release
> 1. We have created a DAD to connect to the database. When users
> click on
> our link then they see the login screen, just the same way as
> Metalink's.
> Only if they sign on successfully and try to change the password the
> profile works as a charm.
>
> I guess we need something that checks for the password status once
> the
> user
> enters id and password in the login screen.
>
> I'd appreciate any help in finding documents or web sites I can visit
> to
> find a solution to this problem. We'd like to enforce our password
> policies as soon as possible, but upper management doesn't want me to
> do it
> until we can display the information regarding password status.
> Users
> may
> be at a loss if they just see the login screen resetting without
> knowing
> why, and our Help Desk would be inundated with calls.
>
So, let me make things straight: the problem is happening only
when they attempt to access the database through the web?
What authorization mechanism are you using on the web? JSP? ASP?
CGI? EJB? The part that performs user authentication should be
cabable of detecting the error, just like SQL*Plus is. Oracle
support is probably right.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Mladen Gogala
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Ana Choto
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
