I created a procedure a while back that did this, but we granted access to a
few support users. They were more familiar with the user base and spoke their
language (the dba’s just got frustrated). There were 1500+ users in the
database and resetting passwords was almost a full time job. I used invoker
rights in the procedure and granted the privs necessary to the 2-3 support
users that were able to execute the procedure. That restricted use to the
couple of users and the DBA’s.
Thanks,
Jeremy
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Ethan Post
Sent: Wednesday, September 16, 2015 10:26 AM
To: oracle-l
Subject: Automatic Password Reset
This is an EXTERNAL email. Exercise caution. DO NOT open attachments or click
links from unknown senders or unexpected email.
________________________________
Anyone out there have an automatic way for users to have their account unlocked
and passwords reset?
My thoughts are to use a generic account, something like "PWD_RESET" which can
call a procedure which will do something like the following
# Assume there is already a table with user/email reference...
# User logs into pwd_reset account.
# User runs exec password_reset('MYUSER_NAME');
# Email with "pin" is sent to email on file.
# User runs exec password_pin(PIN); , this returns the temporary pwd.
# User logs in with temporary pass
Of course the account reset, emails and stuff all happen in background. Whole
thing will be disabled if pin is wrong more than N times in a row in case of
some sort of guess attack. Will watch for any type of SQL injection
possibilities. Everything is logged and admins are emailed about the reset.
PWD_RESET account will only have access to the stated procedures.
Anyone doing anything like this? Anyone see any obvious security holes in this
approach? I have the API's in place to make this pretty easy to implement from
a coding standpoint.
Thanks,
Ethan Post
