Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: Arup Nanda <orarup_at_hotmail.com>
Date: Sat, 21 Jun 2003 22:14:06 -0700
Message-ID: <F001.005B72FB.20030621215943@fatcity.com> 





Bulbul,



> That is the problem , as I said I am not able to log in even the

> database server's operating system  users ( who are identified

> externally ) unless I set remote_os_authent= true




Are you logging in the server through TPCIP? If you are logging in the
server directly you should be using IPC and then you can use the local
server logins. By the way what is your Oracle version (in full, e.g. 9.2,
not just 9i).



>  mean create user scott identified externally;

> grant create session  to scott ;

> If on the client machine there is an operating system user called

> scott, then he can log in to the scott schema.




An OS user called scott will be able to connect as the database user
OPS$SCOTT, not SCOTT - a big difference. This is why the os_authent_prefix
parameter is so important to set; don't leave it as null. If it is null,
then the OS user scott can connect to database user scott.



> Any ideas how to restrict the externally identified users so that they

> have to log in to the database server to access their oracle schemas.?




Well, they are mutually exclusive. A user is authenticated by either the
database or externally, not both. So if you create user scott identified
externally, you are allowing him to bypass database authentication. If you
don't want that, then you would create user SCOTT identified by a password.



> So this means that the database will not recognise the authentication

> done by some other means ( like the white house guards refusing to

> recognize the authentication provided by the people on the hill).

> Then how will someone log in if he is identified externally ?




The authentcation is done via a separate, more stringent manner - like
Kerberos, not through an OS. Oracle accepts that and in the world of
security, there is a fair probability that the user is who says he is. This
user is also authenticated externally, but that authentication is stricter
and the database admin trusts that. In a real life example I provided, the
white house guards accepted the authentication provided by the Capitol Hill
guards; but would they have done that for an ID card from  your town
library? Most likely not. Reason: the library authentication is inherently
insecure, similar to the common Windows PCs where anyone can create a user
id called scott and if a userid OPS$SCOTT happens to be there. But if a user
is authenticated using kerberos, the chances are the procedure has been
proper and therefore it might be considered acceptable.



In my forthcoming book, "HIPAA Security and Auditing for Oracle", coming out
in September, I have discussed these topics in depth and with examples.



Hope this helps.



Arup Nanda


www.proligence.com








> Thank you very much Arup , very lucid and detailed explanation.

> In the last point you said :

> :3) If remote_os_authent is false, but the database has a user

> OPS$BULBUL


> : identified externally; a user named bulbul on the _server_ can login

> as

> : "sqlplus /", but a user named BULBUL on a remote machine will not be

> able

> : to.

> That is the problem , as I said I am not able to log in even the

> database server's operating system  users ( who are identified

> externally ) unless I set remote_os_authent= true ;  But then as you

> said any remote client could authenticate the externally identified

> user in whatever means, and then they could log in.  I mean

> create user scott identified externally;

> grant create session  to scott ;

> If on the client machine there is an operating system user called

> scott, then he can log in to the scott schema.

> Any ideas how to restrict the externally identified users so that they

> have to log in to the database server to access their oracle schemas.?

>

> Another doubt is from what you said about

> sqlnet_authentication_services :

> : You are using (none) because you do not want to rely on the

> authentication

> : service provided by others.

> :

> So this means that the database will not recognise the authentication

> done by some other means ( like the white house guards refusing to

> recognize the authentication provided by the people on the hill).

> Then how will someone log in if he is identified externally ?

>

> Once again thanks for the excellent response, thanks for taking time

> out to explain the physical significance of these parameters in a very

> nice way.

>

>

>

> : (2) remote_os_authent means the user is authenticated in whatever

> manner in

> : the _client_ operating system, not the server. The user may have no

> account

> : with the server.

> :

> : (3) If remote_os_authent is false, but the database has a user

> OPS$BULBUL


> : identified externally; a user named bulbul on the _server_ can login

> as

> : "sqlplus /", but a user named BULBUL on a remote machine will not be

> able

> : to.

> :

> : Hope this helps.

> :

> : Arup Nanda

> : www.proligence.com

> :

> : ----- Original Message -----

> : To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>

> : Sent: Saturday, June 21, 2003 2:19 AM

> :

> :

> : > Arup , the procedure you gave is correct and works fine.

> : > I tried it out on win32 with 9.2.0.1.0.

> : > But I had to set SQLNET.AUTHENTICATION_SERVICES= (none) in

> sqlnet.ora

> : > My fundamentals are really weak , so please forgive the stupid

> : > questions : These steps create a database user who will be

> : > authenticated by the operating system , right ? I assume that the

> : > authenticating os is the one which runs the database  and not the

> os

> : > running on the remote client machine .  If yes , then this would

> mean

> : > that all these externally identified users would have to somehow

> log

> : > onto the os of the database server.

> : >

> : >

> : > However why does this procedure work only when

> remote_os_authent=true

> : > ?

> : > I had posted this same question a while ago , did not get any

> : > satisfactory answers , though people told me that

> : > remote_os_authent=true is a security problem.

> : >

> : > But it doesn't seem to work without that.

> : > Any ideas of enabling "sqlplus /" without remote_os_authent=true ?

> : > Wouldn't remote_os_authent=true allow remote client machines to

> : > authenticate their users which can then log in  to the database as

> : > long as they know the name of the externally authenticated

> username

> : > and value of os_authent_prefix

> : >

> : > ----- Original Message -----

> : > To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>

> : > Sent: Friday, June 20, 2003 01:15

> : >

> : >

> : > Sure.

> : >

> : > Just declare these in your init.ora

> : >

> : > os_authent_prefix=OPS$

> : > remote_os_authent=TRUE

> : >

> : > bounce the database, add a user called OPS$<the Windows username>,

> : > e.g. OPS$AK if your Windows login id is AK as

> : >

> : > create user ops$ak identified externally

> : >

> : > From windows connect as "/@servicename", e.g. sqlplus /@service1

> : >

> : > If it doesn't work, the OS user may be different. Use this query

> while

> : > connected to the database from Windows cleint.

> : >

> : > SQL> select sys_context('USERENV','OS_USER') from dual;

> : >

> : > See what OS username comes up; use that instead.

> : >

> : > HTH.


> : >

> : > Arup Nanda

> : > www.proligence.com

> : >

> : >

> : >   ----- Original Message -----

> : >   From: AK

> : >   To: Multiple recipients of list ORACLE-L

> : >   Sent: Thursday, June 19, 2003 1:10 PM

> : >   Subject: oracle authentication from windows

> : >

> : >

> : >   We want our client users ( forms user )  to just enter windows

> : > password and then automatically able to get in to oracle .Is there

> a

> : > way oracle can authenticate from windows ( or active directory ) .

> : > enbadding password in runform.exe not an option .

> : >

> : >   thanks,

> : >   -ak

> :

>

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> --

> Author: <[EMAIL PROTECTED]

>   INET: [EMAIL PROTECTED]


>

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

>


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sun Jun 22 2003 - 00:14:06 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US