Password Manipulation Through Database

Mon Jul 15 08:56:32 PDT 2002

I received the following message, to which I have already replied.  However,
it is an interesting thought exercise.  How many different ways could this
be done?

----- begin message 1 -----
I have a need to create a mechanism in my application at a client company to
enable users to change their passwords on a UNIX server from a browser using
either Active Server Pages (visual basic) or Java Server Pages with Java.  I
use database roles to track user ability to see sensitive data. The initial
problem is to change the temporary password provided by the UNIX admin
because it has to be changed prior to being recognized by making a database
connection using their UserID and password.

As you can guess, the first time the UserID and password is used, the UNIX
system responds with the request to change it.  The second need is to try to
trap the message from UNIX that indicates that their password is about to
expire and handle it accordingly.

Unfortunately, we are using Informix rather than Oracle.  As you may know,
Oracle handles the password management, but Informix does not.
----- end message 1 -----

I asked him which operating system he was using, and whether a distributed
authentication method had been implemented.

----- begin message 2 -----
Solaris 9.  No, don't believe there is any distributed authentication.  I
currently make connections to Informix through ODBC and JDBC with Active
Server Pages and Java Server Pages respectively.  I am making an ODBC
connection through an active server page using the user name and password
and then verifying their role assignment for determination of their
privileges.  I could use either ASPs or JSPs to determine the password
status, and perhaps change it.
----- end message 2 -----

--David Dull
  ddull at ieee.org
  http://home.netcom.com/~qkstart/