Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Password management using profiles

Re: Password management using profiles

From: Mladen Gogala <>
Date: Tue, 20 Jan 2004 12:24:26 -0800
Message-ID: <>

On 01/20/2004 02:34:45 PM, Ana Choto wrote:
> I have set up a profile where the passwords expire in 30 days, 6
> characters
> minimum, grace period before the account locks to 6 days. It works
> as
> expected when the user logs in to our web site and tries to change
> the
> password. Users receive error messages whenever their password
> doesn't
> comply with the rules we have set up in the profile. We use the
> verify_function.
> The only problem I have is that when the users go to our web site
> they
> are
> presented with a login screen. If their account is locked or
> expired,
> or
> it is within the grace period before the account expires they don't
> receive
> a message to that account. If the account is expired the login
> screen
> resets and prompts for user id and password over and over.
> I have opened a TAR wit Oracle support, but they don't have an answer
> to
> that effect. They say it is an application issue. I've researched
> everywhere I could think of and everything I have found is the same,
> use
> profiles and the verify_function function. I've also read the
> documentation regarding password management, but I couldn't find
> anything
> of help.
> Our database is, and we're in Unix 5.8. We're using 9iAS
> release
> 1. We have created a DAD to connect to the database. When users
> click on
> our link then they see the login screen, just the same way as
> Metalink's.
> Only if they sign on successfully and try to change the password the
> profile works as a charm.
> I guess we need something that checks for the password status once
> the
> user
> enters id and password in the login screen.
> I'd appreciate any help in finding documents or web sites I can visit
> to
> find a solution to this problem. We'd like to enforce our password
> policies as soon as possible, but upper management doesn't want me to
> do it
> until we can display the information regarding password status.
> Users
> may
> be at a loss if they just see the login screen resetting without
> knowing
> why, and our Help Desk would be inundated with calls.

So, let me make things straight: the problem is happening only when they attempt to access the database through the web? What authorization mechanism are you using on the web? JSP? ASP? CGI? EJB? The part that performs user authentication should be cabable of detecting the error, just like SQL*Plus is. Oracle support is probably right.

Please see the official ORACLE-L FAQ:
Author: Mladen Gogala

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Tue Jan 20 2004 - 14:24:26 CST

Original text of this message