Monday 17 January 2011

Solution of ORA-28002: the password will expire within 5 days

Error Description:
-----------------------------------
Whenever a user try to connect to database it raise ORA-28002: error.

-bash-3.00$ sqlplus Hemesh/a

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Jul 7 23:58:46 2008

Copyright (c) 1982, 2005, Oracle. All rights reserved.

ERROR:
ORA-28002: the password will expire within 10 days


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options

Cause of The Problem:
-----------------------------------
Lets know the user profile.
SQL> select profile from dba_users where username='HEMESH';

PROFILE
------------------------------
DEFAULT

Now lets know the resource settings 'PASSWORD_GRACE_TIME','PASSWORD_LIFE_TIME' of default profile.

SQL> select LIMIT, RESOURCE_NAME from dba_profiles where RESOURCE_NAME in ('PASSWORD_GRACE_TIME','PASSWORD_LIFE_TIME','PASSWORD_REUSE_MAX','PASSWORD_REUSE_TIME') and PROFILE=(select profile from dba_users where username='HEMESH');

LIMIT RESOURCE_NAME
---------------------------------------- --------------------------------
60 PASSWORD_LIFE_TIME
1800 PASSWORD_REUSE_TIME
UNLIMITED PASSWORD_REUSE_MAX
10 PASSWORD_GRACE_TIME

The resource PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX must be set in conjunction with each other. PASSWORD_REUSE_TIME specifies the number of days before which a password cannot be reused. PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused.

In this case our interested resource is PASSWORD_LIFE_TIME and PASSWORD_GRACE_TIME.

The resource of Default profile PASSWORD_LIFE_TIME specify the number of days the same password can be used for authentication.

The resource PASSWORD_GRACE_TIME specify the number of days after the grace period begins during which a warning is issued and login is allowed. If the password is not changed during the grace period, the password expires.

Here in the profile of HEMESH user the value of PASSWORD_GRACE_TIME is set to 10. So it just arises a warning ORA-28002 but still allow users to logon to database. The password will expire if it is not changed within the grace period, and further connections are rejected. If you do not set a value for PASSWORD_GRACE_TIME, its default of UNLIMITED will cause the database to issue a warning but let the user continue to connect indefinitely.

One may interpret wrongly of parameter PASSWORD_LIFE_TIME with account creation time. Actually the PASSWORD_LIFE_TIME limit of a profile is measured from the last time an account's password was changed or the account creation time if the password has never been changed.

The account creation time and password change time can be seen from USER$.CTIME and USER$.PTIME respectively. Like,
SQL> select ctime, ptime from sys.user$ where name='HEMESH';

CTIME PTIME
--------- ---------
08-MAY-08 08-MAY-08

You can also get the account creation time from dba_users view.
SQL> SELECT CREATED FROM DBA_USERS WHERE USERNAME = 'HEMESH';

CREATED
---------
08-MAY-08

Now let's look current time which is 08-JUL-08
SQL> select sysdate from dual;

SYSDATE
---------
08-JUL-08

So between the password change time and current time there it is passed 60 which is equal to PASSWORD_LIFE_TIME. Now the setting of PASSWORD_GRACE_TIME to 10 allow the user HEMESH to connect to database 10 days more but will issue a warning.

Solution of The Problem:
--------------------------------------
A)Change the user password.
------------------------------------
If you just want to avoid the error temporary then change the user password.
SQL> conn Hemesh/a
ERROR:
ORA-28002: the password will expire within 10 days
SQL> password
Changing password for HEMESH
Old password:
New password:
Retype new password:
Password changed
SQL> conn Hemesh/a!12
Connected.

Now you can see the change time by .
SQL> select ctime, ptime from sys.user$ where name='HEMESH';

CTIME PTIME
--------- ---------
08-MAY-08 08-JUL-08

This is a temporary solution. After 60 days the user will again see the warning message.

B)Change PASSWORD_LIFE_TIME resource of profile assigned to user.
----------------------------------------------------------------------------------------

The permanent solution is to change PASSWORD_LIFE_TIME resource of profile DEFAULT which is assigned to user HEMESH.

SQL> select profile from dba_users where username='HEMESH';

PROFILE
------------------------------
DEFAULT
If you make it unlimited then user never will see above error. Like,
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

Profile altered.

SQL > select * from dba_users where username='HEMESH';

ACCOUNT_STATUS = Expired(GRACED)

SQL> ALTER USER HEMESHidentified by newpassworld;

user altered.

SQL > select * from dba_users where username='HEMESH';

ACCOUNT_STATUS = OPEN


******************* Open an Expired Account***********************************


SQL> select account_status from dba_users where username='THOMAS';

ACCOUNT_STATUS

--------------------------------

EXPIRED

Up to 10g ) SQL> select password from dba_users where username='THOMAS';

from 11g) SQL>select password from SYS.user$ where name ='THOMAS';

PASSWORD

-----------------------------

063D8DE086C2860D

SQL> alter user thomas identified by values '063D8DE086C2860D';

User altered.

SQL> select account_status from dba_users where username='THOMAS';

ACCOUNT_STATUS

--------------------------------

OPEN

SQL> conn thomas/thomas

Connected.

Posted by hemora at 10:28
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)