DB Linking 8.1.7 Oracle Databases

Hello All,

I have a question about db linking between 2 Oracle 8.1.7 databases.

A little background. Our logical database spans 2 physical databases
(in separate organizations), which are currently connected over
database links. Local db is 8.0.6; remote db is 7.3.

User accounts are externally identified, and same accounts exist on remote database. global_names=TRUE on both databases. A public database link is defined with no connect info, just the service name. Package owner accounts have private database links which connect to a fixed account on the remote db. This fixed account is granted the application role, so can access required objects. There is no auditing of user actions on remote database.

There are 2 types of access: 1. from the client in the user's context, and 2. through database packages. Currently, user access takes place over the public db link, and is successful as long as the user accounts match on both sides. Package access is over private links.

Now we are preparing to upgrade to Oracle 8.1.7 on both local and remote dbs. Remote db has defined a security policy (FGAC) on the master tables.

User accounts are now defined as identified by password. Additionally, both databases have os_authent_prefix set to 'OPS$'. This gives users the capability to log on to the database with password or without it.

Only way I have been able to achieve user access through either a public link or a private link is when the user logs on to the database using a password. This is not a good solution for us, since the user will be challenged for a password (and never was before).

Only way I have been able to achieve satisfactory results through a package, while also satisfying the remote db security policy is to alter user on remote db to grant connnect through a proxy account. This is the CONNECT TO account in the private db link. And also to compile the remote access packages as invoker-rights (AUTHID CURRENT_USER). This is not perfect, but at leasts gives us a way to do it.

I tried using CONNECT TO CURRENT_USER on the dblink, but got an LDAP error when trying to connect thru it. We don't have the global names directory in our configuration.

The problem is being able to convey the user's identity thru to the remote database to satisfy the security policy on remote db. So far, proxy connection coupled with invoker-rights package is the only way I can find to do it.

Does anyone have any other suggestions.

Thanks for any feedback.

Jan Querdibitty

ps. I have been a lurker on this list for ever (I'm a DEEveloper (not DUH)), and find it a wonderful resource. Thank you guys.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Janet Querdibitty
  INET: janqu_at_comcast.net

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).