I was looking into oracle database 11gR2 to verify the users who's days to expire comes to below 7 days and i have noticed few of the users expiry date are today but their account status is in open instead of Expired(Grace) and some users which passed the expiry date but still in open status.
USERNAME ACCOUNT_STATUS EXPIRY_DA PROFILE
------------------------------ -------------------------------- --------- ------------------------------
SYSTEM OPEN 27-JAN-16 DEFAULT
SYS OPEN 28-DEC-14 DEFAULT
ERERD OPEN 18-JAN-16 DEFAULT
ERFWSE OPEN 04-DEC-14 DEFAULT
SERFW OPEN 03-AUG-15 DEFAULT
DERSZFERSS OPEN 04-DEC-14 DEFAULT
My query is not helping in this case to find the users whose account will be expired. Can anyone help me with modifing the query such a way that it will only list out the users and their accounts genuinely will expiry by number of days?
select username, account_status, trunc(expiry_date-sysdate) days_to_expire
from dba_users
where expiry_date is not null and trunc(expiry_date-sysdate) >= 0;
Update
SQL> select * from dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_LIFE_TIME';
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180
Your query is allright.
Password expiration date and account status are different things.
You can have an expired password user that will stay in open status while you try to connect to it.
If you have permission to change password you can then set a new password,
otherwise the user will be locked.
This means that if you're connecting with an application and the application doesn't check password expiration date the user will be locked
and if there isn't a connection the user will stay open.
There is no process that goes through accounts to reset their status vis a vis expiry date. The next time the user logs in the status will be updated accordingly
~~~H Otati
Related
I'm working on a website where a user is only allowed to have a single signed-in session. If a user attempts to authenticate to the website from more than one location the prior session is logged out.
The session information for a given user will be stored in Redis.
My current implementation uses two Redis databases. The first database stores session ID as the key and username as the value. The second database stores the username as the key and some other information including session ID as the value.
When a user logs in, the second Redis database is queried to find an existing session ID. If found, the old session is deleted, this would essentially force the user's old session to log out. After the old session is removed, we create another session in the first database and update the value of the session ID in the second database using the username as the key.
Here is a demonstration of this behavior using the "redis-cli":
redis-cli
select 2
get username
The website gets the session ID of the previous session and then generates a new session ID...
redis-cli
select 1
del old_session_id
set new_session_id username
select 2
set username new_session_id
This works, but I want to optimize it. In this solution, the website would query Redis twice because we have to get the old session id and delete it.
My question is: Can we combine the two queries?
My challenge is how to read the command get username result and automatically run del old_session_id against the Redis database.
Can anybody help me?
According to the SET documentation, you can add the GET option to write a key and get its old value. I would use this on database 2 first. If it returns an old session id, you can use RENAME to change the key name. If it doesn't return an old session id, you can just use another SET.
You should be able to get your setup to work with something like this:
redis-cli
select 2
set username new_session_id get
If that command returns a value, run this:
redis-cli
select 1
rename old_session_id new_session_id
If it does not return a value, run this:
redis-cli
select 1
set new_session_id username
I have an oracle DB user in DBA_USERS table whose password is expiring in some future date.
I want to change the Profile of the user to the one which has non-expiring password.
If I Alter the profile of the user to the non expiring one, does the expiry date which was there in the DBA_USERS table for this user previously before altering the profile have any effect ?
Should i update the value in the expiry date column in DBA_USERS also to null.
Whenever password expiration date is created in the oracle for any user, it will not changed if you change the profile of the user.
Password expiration date is updated when you change the password of the user and new password expiration date is set according to the profile assigned to the user.
So you must have to perform following steps in order.
Assign the profile with non expiring password to the user.
Change the password of the user.(same or different password according to your requirement)
Then next password expiration date is changed according to new profile and that will be null/non expiring/unlimited
I have created the following query to check the status on the PASSWORD_LIFE_TIME field from dba_profiles table.
How I ensured that the password never expires was to do this. Is the alter profile query correct?
ALTER PROFILE my_profile LIMIT PASSWORD_LIFE_TIME UNLIMITED;
select du.USERNAME,du.profile, dp.LIMIT
from dba_users du
left outer join dba_profiles dp on dp.PROFILE = du.PROFILE
where du.USERNAME = 'SYSTEM' and resource_name LIKE 'PASSWORD_LIFE_TIME';
The alter profile query is correct. The password for the profile my_profile never expires due to password life time. You need to assign the profile my_profile to the user system with alter user system profile my_profile;
I am using Oracle SQL Developer and I run into the ORA-28000 error and my account got blocked, but I resolved it from SQL plus by using the following commands:
SQL> alter user user1 account unlock;
SQL> grant connect, resource to user1;
The thing is that I want to prevent this from happening again. Where can I see the threshold of the failed login attempts that exists so that I would either raise it or delete it completely?
In the sql developer, menu in the Users option, you can edit the user and edit the amount of attempts, if the password expires, etc. However I can only log in with the system user, sys could not connect.
FAILED_LOGIN_ATTEMPTS and similar are properties of the profile associated with your user. You can check the settings with this query:
select u.profile
, p.resource_name
, p.limit
from dba_users u
join dba_profiles p
on u.profile = p.profile
where p.resource_type = 'PASSWORD';
These limits are set for the profile: you can change them but the new limits will cascade to all users with this profile:
alter profile whatever limit FAILED_LOGIN_ATTEMPTS 12;
Alternatively you can modify the user so it has a more forgiving profile:
alter user joesoap profile default;
This question already has answers here:
How do I turn off Oracle password expiration?
(6 answers)
Closed 9 years ago.
There is some construction
ALTER USER scott PASSWORD EXPIRE
But how can I similair set password to unexpired state?
The following statement causes a user's password to expire:
ALTER USER user PASSWORD EXPIRE;
If you cause a database user's password to expire with PASSWORD EXPIRE, then the user (or the DBA) must change the password before attempting to log in to the database following the expiration. Tools such as SQL*Plus allow the user to change the password on the first attempted login following the expiration.
ALTER USER scott IDENTIFIED BY password;
Will set/reset the users password.
See the alter user doc for more info
If you create a user using a profile like this:
CREATE PROFILE my_profile LIMIT
PASSWORD_LIFE_TIME 30;
ALTER USER scott PROFILE my_profile;
then you can change the password lifetime like this:
ALTER PROFILE my_profile LIMIT
PASSWORD_LIFE_TIME UNLIMITED;
I hope that helps.
While applying the new profile to the user,you should also check for resource limits are "turned on" for the database as a whole i.e.RESOURCE_LIMIT = TRUE
Let check the parameter value.
If in Case it is :
SQL> show parameter resource_limit
NAME TYPE VALUE
------------------------------------ ----------- ---------
resource_limit boolean FALSE
Its mean resource limit is off,we ist have to enable it.
Use the ALTER SYSTEM statement to turn on resource limits.
SQL> ALTER SYSTEM SET RESOURCE_LIMIT = TRUE;
System altered.