Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: Arup Nanda <orarup_at_hotmail.com>
Date: Thu, 19 Jun 2003 15:01:50 -0700
Message-ID: <F001.005B5AA2.20030619143450@fatcity.com>

Mladen,
 

This is precisely the content I have gone in depth in my upcoming book where this practice of OPS$ accounts have been discussed.

 

The security hole in OPS$ accounts is a bit overrated. Chagnign username in Windows XP alone does not allow logging in to the database directly if OPS$ accounts are used. What you are referring to is setting the ORA_DBA group in Windows. Here is an excerpt from the book:
 

"If OPS$ accounts must be used, make sure that init.ora parameter os_authent_prefix is set to OPS$ or some other value, not NULL. If it is null, as shown by an empty string "", the security is severely threatened. Any one can create a userid called SYSTEM in the OS and then logon without a password as the Oracle user SYSTEM. If the os_authent_prefix is set to OPS$, then the corresponding user id in Oracle will be OPS$SYSTEM, not SYSTEM. they are different users."
 

As you might notice, OPS$ accounts are somehow insecure, and I personally eschew them; but let's face it, in some situations, like in the case AK mentioned, the use is required. When the DBAs can do is to take some precautions to ensure security.
 

HTH.
 

Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

  To: <A [EMAIL PROTECTED]
  href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L   

  Sent: Thursday, June 19, 2003 4:19
  PM
  Subject: RE: oracle authentication from   windows   

  <SPAN
  class=484330519-19062003>That, of course, will render your database totally   insecure and open to anybody
  who
  can bring in a WinXP laptop, change the windoze username and log in as he   pleases.
  DBA
  that sets his production parameters the way Arup described deserves to be   

  <SPAN
  class=484330519-19062003>publicly tortured by Bill O'Reilly in the "no spin   zone".
   
  Mladen Gogala <FONT face=Arial
  size=2>Oracle DBA Phone:(203)
  459-6855 Email:[EMAIL PROTECTED]   

    <FONT face=Tahoma
    size=2>-----Original Message-----From: Arup Nanda     [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 3:46     PMTo: Multiple recipients of list ORACLE-LSubject: Re:     oracle authentication from windows
    Sure.
     
    Just declare these in your
init.ora

     
    <FONT face=Arial
    size=2>os_authent_prefix=OPS$remote_os_authent=TRUE      
    bounce the database, add a user called     OPS$<the Windows username>, e.g. OPS$AK if your Windows login id is AK     as
     
    create user ops$ak identified
    externally
     
    From windows connect as "/@servicename",     e.g. sqlplus /@service1
     
    If it doesn't work, the OS user may be     different. Use this query while connected to the database from Windows     cleint.
     
    SQL> select sys_context('USERENV','OS_USER')     from dual;
     
    See what OS username comes up; use that     instead.
     
    HTH.
     
    Arup Nanda
    www.proligence.com
     
     
    <BLOCKQUOTE dir=ltr
    style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

      To: <A [EMAIL PROTECTED] 
      href="mailto:[EMAIL PROTECTED]">Multiple recipients of list 
      ORACLE-L 
      Sent: Thursday, June 19, 2003 1:10 
      PM
      Subject: oracle authentication from 
      windows
      
      We want our client users ( forms user )  
      to just enter windows password and then automatically able to get in to 
      oracle .Is there a way oracle can authenticate from windows ( or active 
      directory ) . enbadding password in runform.exe not an option 
      .
       
      thanks,
      <FONT face=Arial 

size=2>-ak Received on Thu Jun 19 2003 - 17:01:50 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US