Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: Arup Nanda <orarup_at_hotmail.com>
Date: Fri, 20 Jun 2003 08:11:59 -0700
Message-ID: <F001.005B62C4.20030620075457@fatcity.com>

AK,
 

The issue is not creating an id called OPS$ SYSTEM on XP, but on the database. Say, you created a user called OPS$SYSTEM as
 

create user ops$system identified
externally;
 

The XP user should be SYSTEM, not OPS$SYSTEM, to log on to this account.
 

Now suppose, your os_authent_prefix is set to "" (null), then the Oracle user SYSTEM, not OPS$SYSTEM is authenticated externally. If someone creates a user in XP called SYSTEM, she can call
 

sqlplus /@service1
 

The OS user is SYSTEM, os_authent_prefix is null, so Oracle will let the user be logged on as oracle user SYSTEM!
 

Therefore, always have a not null value in os_authent_prefix, e.g. OPS$.
 

If the XP user is OPS$SYSTEM, the oracle user should be OPS$OPS$SYSTEM, not OPS$SYSTEM. I hope you see the difference.
 

HTH.
 

Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

  Arup,
  why someone can't create account like ops$system   on xp and get in . If they can create system then y not ops$system . Secondly   OS authentication means operating system is going to take care of auth. rite ?   . It's up to OS not allow the users to change their ids.    
  -ak
   
   
  <BLOCKQUOTE dir=ltr
  style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

    To: <A [EMAIL PROTECTED]
    href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L     

    Sent: Thursday, June 19, 2003 3:34
    PM
    Subject: Re: oracle authentication from     windows     

    Mladen,
     
    This is precisely the content I have gone in     depth in my upcoming book where this practice of OPS$ accounts have been     discussed.
     
    The security hole in OPS$ accounts is a bit     overrated. Chagnign username in Windows XP alone does not allow logging in     to the database directly if OPS$ accounts are used. What you are referring     to is setting the ORA_DBA group in Windows. Here is an excerpt from the     book:
     
    "If OPS$ accounts must be used, make sure that     init.ora parameter os_authent_prefix is set to OPS$ or some other value, not     NULL. If it is null, as shown by an empty string "", the security is     severely threatened. Any one can create a userid called SYSTEM in the OS and     then logon without a password as the Oracle user SYSTEM. If the     os_authent_prefix is set to OPS$, then the corresponding user id in Oracle     will be OPS$SYSTEM, not SYSTEM. they are different users."      
    As you might notice, OPS$ accounts are somehow     insecure, and I personally eschew them; but let's face it, in some     situations, like in the case AK mentioned, the use is required. When the     DBAs can do is to take some precautions to ensure security.      
    HTH.
     
    Arup
    <BLOCKQUOTE dir=ltr
    style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

      <SPAN 
      class=484330519-19062003>That, of course, will render your database 
      totally insecure and open to anybody 
      <SPAN 
      class=484330519-19062003>who can bring in a WinXP laptop, change the 
      windoze username and log in as he pleases.
      <SPAN 
      class=484330519-19062003>DBA that sets his production parameters the way 
      Arup described deserves to be 
      <SPAN 
      class=484330519-19062003>publicly tortured by Bill O'Reilly in the "no 
      spin zone".
       
      Mladen Gogala <FONT face=Arial 
      size=2>Oracle DBA Phone:(203) 
      459-6855 Email:[EMAIL PROTECTED] 
      
      
        <FONT face=Tahoma 
        size=2>-----Original Message-----From: Arup Nanda 
        [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 3:46 
        PMTo: Multiple recipients of list ORACLE-LSubject: 
        Re: oracle authentication from windows
        Sure.
         
        Just declare these in your 
        init.ora
         
        <FONT face=Arial 
        size=2>os_authent_prefix=OPS$remote_os_authent=TRUE
         
        bounce the database, add a user called 
        OPS$<the Windows username>, e.g. OPS$AK if your Windows login id 
        is AK as
         
        create user ops$ak identified 
        externally
         
        From windows connect as 
        "/@servicename", e.g. sqlplus /@service1
         
        If it doesn't work, the OS user may be 
        different. Use this query while connected to the database from Windows 
        cleint.
         
        SQL> select 
        sys_context('USERENV','OS_USER') from dual;
         
        See what OS username comes up; use that 
        instead.
         
        HTH.
         
        Arup Nanda
        www.proligence.com
         
         
        <BLOCKQUOTE dir=ltr 
        style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
          ----- Original Message ----- 
          <DIV 
          style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From: 
          <A [EMAIL PROTECTED] 
          href="mailto:[EMAIL PROTECTED]">AK 
          To: <A [EMAIL PROTECTED] 
          href="mailto:[EMAIL PROTECTED]">Multiple recipients of list 
          ORACLE-L 
          Sent: Thursday, June 19, 2003 
          1:10 PM
          Subject: oracle authentication 
          from windows
          
          We want our client users ( forms user 
          )  to just enter windows password and then automatically able to 
          get in to oracle .Is there a way oracle can authenticate from windows 
          ( or active directory ) . enbadding password in runform.exe not an 
          option .
           
          thanks,
          <FONT face=Arial 

    size=2>-ak Received on Fri Jun 20 2003 - 10:11:59 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US