| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows
Bulbul,
Your question can be broken up into basically three parts.
(1) Setting SQLNET.AUTHENTICATION_SERVICES is used for authenticating users for single sign-on applications. For instance, you are using kerberos authentication method and using Oracle Adanced Networking Option. Anyone authenticated to the OS has already passed the test by Kerberos, and you decide to let the person in without further authentication by Oracle (i.e. userid, password). In this case, you would set SQLNET.AUTHENTICATION_SERVICES= (kerberos5). Imagine you are visiting the White House after visiting US Capitol. At the Capitol, they checked you out and made sure you are indeed Bulbul; i other words you are who you claim to be - a process we refer to as authentication. Now suppose you were escorteed to White Huose in a Secret Service van sorroeunded by a dozen agents. At the White House, the gurards may decided to let you enter without further authentication. Why? Becuase they know the authentication done at Capitol was rigorous enough and can be trusted. This is similar to a user authenticated by Kerberos and Oracle assumes that the proces is reliable anough to let the user in.
You are using (none) because you do not want to rely on the authentication service provided by others.
(2) remote_os_authent means the user is authenticated in whatever manner in the _client_ operating system, not the server. The user may have no account with the server.
(3) If remote_os_authent is false, but the database has a user OPS$BULBUL identified externally; a user named bulbul on the _server_ can login as "sqlplus /", but a user named BULBUL on a remote machine will not be able to.
Hope this helps.
Arup Nanda
www.proligence.com
> Arup , the procedure you gave is correct and works fine.
> I tried it out on win32 with 9.2.0.1.0.
> But I had to set SQLNET.AUTHENTICATION_SERVICES= (none) in sqlnet.ora
> My fundamentals are really weak , so please forgive the stupid
> questions : These steps create a database user who will be
> authenticated by the operating system , right ? I assume that the
> authenticating os is the one which runs the database and not the os
> running on the remote client machine . If yes , then this would mean
> that all these externally identified users would have to somehow log
> onto the os of the database server.
>
>
> However why does this procedure work only when remote_os_authent=true
> ?
> I had posted this same question a while ago , did not get any
> satisfactory answers , though people told me that
> remote_os_authent=true is a security problem.
>
> But it doesn't seem to work without that.
> Any ideas of enabling "sqlplus /" without remote_os_authent=true ?
> Wouldn't remote_os_authent=true allow remote client machines to
> authenticate their users which can then log in to the database as
> long as they know the name of the externally authenticated username
> and value of os_authent_prefix
>
> ----- Original Message -----
> To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>
> Sent: Friday, June 20, 2003 01:15
>
>
> Sure.
>
> Just declare these in your init.ora
>
> os_authent_prefix=OPS$
> remote_os_authent=TRUE
>
> bounce the database, add a user called OPS$<the Windows username>,
> e.g. OPS$AK if your Windows login id is AK as
>
> create user ops$ak identified externally
>
> From windows connect as "/@servicename", e.g. sqlplus /@service1
>
> If it doesn't work, the OS user may be different. Use this query while
> connected to the database from Windows cleint.
>
> SQL> select sys_context('USERENV','OS_USER') from dual;
>
> See what OS username comes up; use that instead.
>
> HTH.
>
> Arup Nanda
> www.proligence.com
>
>
> ----- Original Message -----
> From: AK
> To: Multiple recipients of list ORACLE-L
> Sent: Thursday, June 19, 2003 1:10 PM
> Subject: oracle authentication from windows
>
>
> We want our client users ( forms user ) to just enter windows
> password and then automatically able to get in to oracle .Is there a
> way oracle can authenticate from windows ( or active directory ) .
> enbadding password in runform.exe not an option .
>
> thanks,
> -ak
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: <[EMAIL PROTECTED]
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Sat Jun 21 2003 - 10:17:04 CDT
 |
 |