c# - Oracle password expiry and grace period handling using C# client

Question

I have a c# client and I am using oracle 10g database.

My query is:

1. Is the expiry grace period over and above exiry date?
2. When the user is in grace period can the user change his/her password using query ALTER USER XYZ IDENTIFIED BY SOMEPWD or he still need to contact DBA.
3. How can I handle oracle warning ORA-28002(when the user is in grace period) in c# client. does it at all gets transmitted to c# client. Would it still be handled as exception (try-catch).
4. When the password has already expired, is it that only DBA can change your password.
5. does the account gets locked also when expiry date has exceeded beyond grace period.

Please note I am not sys dba so I cannot access dba_users or dba_profiles.

Thanks in advance.

Answer 1

Finally I have found solution to my problem. Here are the points for everyones information:

1) Is the expiry grace period over and above exiry date?

Answer: Yes its over and above.

2) When the user is in grace period can the user change his/her password using query "ALTER USER XYZ IDENTIFIED BY SOMEPWD" or he still need to contact DBA.

Answer: No user cannot run this query because it would first require to be connected to database. With expired password you cannot connect.

3) How can I handle oracle warning ORA-28002(when the user is in grace period) in c# client. does it at all gets transmitted to c# client. Would it still be handled as exception (try-catch).

Answer: ORA-28002 error can be handled in c# client as OracleClientInfoMessage. Here is the sample code.

try
{
    OracleConnection conn = new OracleConnection("User ID=" + uid + ";Password=" + pwd + ";SERVER=" + server);
    conn.InfoMessage += new OracleInfoMessageEventHandler(GetOracleWarningInfoMessage);        
    conn.Open();
    return ConnectionStatus.OK;
}
catch (System.Data.OracleClient.OracleException ex)
{
    Logger.Error(ex);
    switch (ex.Code)
    {
        case 1005: //null password given
            errmsg = "Invalid password";
            return ConnectionStatus.InvalidUserPwd;
        case 1017: //invalid username/password
            errmsg = "Invalid username/password";
            return ConnectionStatus.InvalidUserPwd;
        case 1040: //invalid character in password
            errmsg = "Invalid password";
            return ConnectionStatus.InvalidUserPwd;
        case 28000://account locked
            errmsg = "Account locked. Contact DBA or wait for PASSWORD_LOCK_TIME";
            return ConnectionStatus.Locked;
        case 28001://password expired                       
            errmsg = "Password expired. Contact DBA";
            return ConnectionStatus.Expired;
        default:
            errmsg = ex.Message;
            return ConnectionStatus.Failed;
    }
}

4) When the password has already expired, is it that only DBA can change your password.

Answer: The user can change the password himself. If you are using SQLPlus or ODP.net driver you will get a prompt. However if you are using OracleClient (Microsoft) driver you will not be able to since it lacks the OpenWithNewPassword function(which allows to change password before established connection). Probably becuase of non co-operation movement between Mircosoft and Oracle. OpenWithNewPassword support is only available in Driver ODP(OracleDataProvider) and native OCL. For details refer to link : MSDN or Oracle.

5) does the account gets locked also when expiry date has exceeded beyond grace period.

Answer: No it gets Expired not Locked.

Answer 2

Yes the grace period is above the expiry date and if i am not mistaken this is how it happens, you have expiry period of 30 days and a grace of 5. Now post the 30 day period the user has expired and now you enter into the grace period which is significant from the first login made after the 30 day limit. Now in these 5 days you have the option to change your password.

Oracle implicitly allows a user to change its own password, so you could change it within the grace period else you will need a different user which has the privileges to change the password of another user.

If you have exceeded even the grace period the account gets locked and will get unlocked on a password change.

Answer 3

Regarding point 3: It has been our experience that ODP.Net does not throw an exception nor trigger the OracleInfoMessageEventHandler when ORA-28002 occurs. Google searches only show that this is a bug in ODP, but no reference to it being fixed.

Here is our workaround... We created a stored function that looks at DBA_USERS to determine the expiry date of a given user's password. This function is created to run in the authorization context of the creator (which has privs to see this DBA view).

create or replace function GetExpDate(vUser in varchar2) return DATE
AUTHID DEFINER
as
expDate date;
begin
   select nvl(expiry_date, sysdate+100) 
   into expDate 
   from dba_users
   where username = vUser;

   return expDate;

exception
when others then
   return sysdate+100;
end; 

After the user logins in successfully, we check this function to see if they are close to expiration and if so prompt for them to change their password.