oravirt
commented
5 years ago Yeah, I was mucking around with this maybe a year ago (using the same info as you linked to), and at the time I ended up putting it in the 'too-hard' basket thinking I would maybe re-visit it at some point. I don't have a lot of time to put into investigating this (at least for now) so maybe I'll just settle for the fact that the password will be enforced to whatever the input is.
I'll look into the task not returning as changed, though.
Given a working install through the ansible-oracle scripts with config something like the following (cut parts for brevity):
If I change the password for appuser1 and then run through the oradb-manage-users role in ansible-oracle (which uses the oracle_user module), the password is changed in Oracle, but the task does not report changed:
The problem is down to the
get_user_password_hashfunction and the fact it usessys.user$ password. This is probably a problem in 12c+ since it seems from this point, Oracle has stopped putting the hashes in thesys.user$ passwordcolumn (a good thing). There is thespare4column that has a hash in but I believe it's stored with the salt so it's different every time and cannot be used to compare before and after.I'm not sure if there's a good solution to this. There's some information how the spare4 hash is built up here but unsure if it's possible to use this to figure out how to run a hash function from python against existing salt + incoming password to compare against existing hash.