| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows
Got it . Thanks Arup .
-ak
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L
Sent: Friday, June 20, 2003 8:54 AM
Subject: Re: oracle authentication from
windows
AK,
The issue is not creating an id called OPS$
SYSTEM on XP, but on the database. Say, you created a user called OPS$SYSTEM
as
create user ops$system identified
externally;
The XP user should be SYSTEM, not OPS$SYSTEM, to
log on to this account.
Now suppose, your os_authent_prefix is set to ""
(null), then the Oracle user SYSTEM, not OPS$SYSTEM is authenticated
externally. If someone creates a user in XP called SYSTEM, she can
call
sqlplus /@service1
The OS user is SYSTEM, os_authent_prefix is null,
so Oracle will let the user be logged on as oracle user SYSTEM!
Therefore, always have a not null value in
os_authent_prefix, e.g. OPS$.
If the XP user is OPS$SYSTEM, the oracle user
should be OPS$OPS$SYSTEM, not OPS$SYSTEM. I hope you see the
difference.
HTH.
Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Arup Nanda
Sent: Friday, June 20, 2003 10:46
AM
Subject: Re: oracle authentication from
windows
Arup,
why someone can't create account like
ops$system on xp and get in . If they can create system then y not
ops$system . Secondly OS authentication means operating system is going to
take care of auth. rite ? . It's up to OS not allow the users to change
their ids.
-ak
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
Mladen,
This is precisely the content I have gone in
depth in my upcoming book where this practice of OPS$ accounts have been
discussed.
The security hole in OPS$ accounts is a bit
overrated. Chagnign username in Windows XP alone does not allow logging in
to the database directly if OPS$ accounts are used. What you are referring
to is setting the ORA_DBA group in Windows. Here is an excerpt from the
book:
"If OPS$ accounts must be used, make sure
that init.ora parameter os_authent_prefix is set to OPS$ or some other
value, not NULL. If it is null, as shown by an empty string "", the
security is severely threatened. Any one can create a userid called SYSTEM
in the OS and then logon without a password as the Oracle user SYSTEM. If
the os_authent_prefix is set to OPS$, then the corresponding user id in
Oracle will be OPS$SYSTEM, not SYSTEM. they are different
users."
As you might notice, OPS$ accounts are
somehow insecure, and I personally eschew them; but let's face it, in some
situations, like in the case AK mentioned, the use is required. When the
DBAs can do is to take some precautions to ensure security.
HTH.
Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
----- Original Message -----
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From:
Gogala,
Mladen
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list
ORACLE-L
Sent: Thursday, June 19, 2003 4:19
PM
Subject: RE: oracle authentication
from windows
<SPAN
class=484330519-19062003>That, of course, will render your database
totally insecure and open to anybody
<SPAN
class=484330519-19062003>who can bring in a WinXP laptop, change the
windoze username and log in as he pleases.
<SPAN
class=484330519-19062003>DBA that sets his production parameters the way
Arup described deserves to be
<SPAN
class=484330519-19062003>publicly tortured by Bill O'Reilly in the "no
spin zone".
Mladen Gogala <FONT face=Arial
size=2>Oracle DBA Phone:(203)
459-6855 <FONT face=Arial
size=2>Email:[EMAIL PROTECTED]
<FONT face=Tahoma
size=2>-----Original Message-----From: Arup Nanda
[mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003
3:46 PMTo: Multiple recipients of list
ORACLE-LSubject: Re: oracle authentication from
windows
Sure.
Just declare these in your
init.ora
<FONT face=Arial
size=2>os_authent_prefix=OPS$remote_os_authent=TRUE
bounce the database, add a user called
OPS$<the Windows username>, e.g. OPS$AK if your Windows login id
is AK as
create user ops$ak identified
externally
From windows connect as
"/@servicename", e.g. sqlplus /@service1
If it doesn't work, the OS user may be
different. Use this query while connected to the database from Windows
cleint.
SQL> select
sys_context('USERENV','OS_USER') from dual;
See what OS username comes up; use that
instead.
HTH.
Arup Nanda
www.proligence.com
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
----- Original Message -----
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From:
<A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">AK
To: <A
[EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list
ORACLE-L
Sent: Thursday, June 19, 2003
1:10 PM
Subject: oracle authentication
from windows
We want our client users ( forms user
) to just enter windows password and then automatically able
to get in to oracle .Is there a way oracle can authenticate from
windows ( or active directory ) . enbadding password in runform.exe
not an option .
thanks,
<FONT face=Arial
size=2>-ak
Received on Fri Jun 20 2003 - 11:04:49 CDT
 |
 |