{"id":6318,"date":"2020-04-23T11:12:27","date_gmt":"2020-04-23T16:12:27","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=6318"},"modified":"2020-04-23T11:12:27","modified_gmt":"2020-04-23T16:12:27","slug":"oracle-password-expiry-sandbox-server","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=6318","title":{"rendered":"Oracle Password Expiry &#8211; Sandbox Server"},"content":{"rendered":"<p>Oracle 11g seems to ship with password expiry enabled &#8212; which is a very good thing for production systems. I&#8217;ve even written some code to maintain our system account password (scripts are grabbing the password from a not-clear-text storage facility anyway, so it wasn&#8217;t a big deal to add an n-1 password and move the current stashed password into the n-1 column, change the account password, and stash the updated password in the current password location &#8230; now my system ID password is updated by a monthly cron job, no one actually <em>knows<\/em> the password {although anyone could find it, so I would run the password cycle script when individuals leave the group}). But I&#8217;m a lot lazier about this stuff in my sandbox. Proof of concept code has clear text passwords. But the server is bound to localhost &amp; there&#8217;s no real data in, well, anything.<\/p>\n<p>I started seeing lines in my error log indicating the password would expire. Aaaand that&#8217;s how I learned that password expiry was enabled by default now.<\/p>\n<p>[Sat Apr 18 07:42:59 2020] [error] [client 127.0.0.1] PHP Warning: oci_connect(): OCI_SUCCESS_WITH_INFO: ORA-28002: the password will expire within 7 days in \/var\/www\/vhtml\/&#8230;\/file.php on line 191, referer: &#8230;<\/p>\n<p>I&#8217;m going to disable password expiry because it&#8217;s a sandbox. For a real system, obviously, this may not be a stellar idea.<\/p>\n<pre class=\"lang-sql prettyprint prettyprinted\"><code><span class=\"kwd\">select USERNAME, ACCOUNT_STATUS, PROFILE from dba_users where USERNAME = 'SampleUser'<\/span><span class=\"pun\">;<\/span><\/code><\/pre>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<th>USERNAME<\/th>\n<th>ACCOUNT_STATUS<\/th>\n<th>PROFILE<\/th>\n<\/tr>\n<tr>\n<td>SampleUser<\/td>\n<td>EXPIRED(GRACE)<\/td>\n<td>DEFAULT<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Note the account status &#8220;EXPIRED(GRACE)&#8221; &#8212; that&#8217;s why I am getting the error shown above. Grab the profile name &#8212; it&#8217;s a sandbox, so 99% sure it&#8217;s going to be &#8216;DEFAULT&#8217; and alter that profile with an unlimited password expiration:<\/p>\n<pre class=\"lang-sql prettyprint prettyprinted\"><code><span class=\"kwd\">alter<\/span><span class=\"pln\"> profile <\/span><span class=\"pun\">&lt;<\/span><span class=\"pln\">profile_name<\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> limit password_life_time UNLIMITED<\/span><span class=\"pun\">;<\/span><\/code><\/pre>\n<p>Except that didn&#8217;t actually stop the error. Turns out you&#8217;ve still got to change the password once the account has been flagged as expired (or let the password expire and then unlock the account &#8230; but I was looking at the log because I&#8217;m debugging something, and I wanted the error to stop *right now*).<\/p>\n<pre>alter user SampleUser identified by N3W_P@s5_w0rD;<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Oracle 11g seems to ship with password expiry enabled &#8212; which is a very good thing for production systems. I&#8217;ve even written some code to maintain our system account password (scripts are grabbing the password from a not-clear-text storage facility anyway, so it wasn&#8217;t a big deal to add an n-1 password and move the &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[953,595,954,69],"class_list":["post-6318","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-database","tag-oracle","tag-password-expiry","tag-security"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6318"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6318\/revisions"}],"predecessor-version":[{"id":6319,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6318\/revisions\/6319"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}