Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Database access using LDAP Authentication

Re: Database access using LDAP Authentication

From: Mark Brinsmead <>
Date: Wed, 5 Jul 2006 20:16:38 -0600
Message-ID: <>

For Oracle 9.2, I believe the product you are looking for is "Advanced Security Option",
although I believe it was known as "Advanced Networking Option" prior to that.

It's not free, though. It requires Enterprise Edition, and costs something like USD
$20,000/CPU above and beyond that.

Of course, with 40 database and maybe 100 or 200 CPUs, you might find that there
is some room for negotiation. ;-)

'Course I could be mistaken...

On 7/5/06, <> wrote:
> All:
> Jr. DBA here looking for a little help on a project she's been given.
> Any thoughts & ideas you have are greatly appreciated.
> After Collaborate06, I suggested to our managers that we use Profiles on
> our 40+ databases for added security. After some hemming & hawing,
> security group agreed, and we began to put Profile Plans into motion.
> At this time the department realized that if they had a direct Database
> account, they would have to change their password, which meant in some
> circumstances, on all 40 databases. This caused some grumbling, but it
> wasn't too bad.
> At this time the head of Systems said 1 word to the head DBA that would
> simultaneously make all the profile research instantly trash and my life
> hell: LDAP.
> Yes, he wants us to have oracle use LDAP for it's user/schema
> authentication.
> Oracle
> LDAP v3 (not Oracle's LDAP)
> All 40+ databases & 2 LDAPs are on different Unix boxes.
> To make sure I am not being difficult, here's the prime example:
> 1) I open SQLPLUS and type in my Oracle Userid & password (scott/tiger).
> 2) Oracle then somehow takes the userid & password to a centralized
> 3) LDAP replies with either: "Yep, that's right" or "No, reject
> session".
> 4) Oracle then allows access (depending on LDAP's response), and uses
> it's the users role/sys/tab privs to say what that user has access to.
> I have seen where you can authenticate through an htmldb app using the
> DBMS_LDAP package, but we're not going through a 3rd party app, nor do I
> think a login server is quite what we're looking for here, but maybe
> this is how it has to be done?
> I saw the wonderful "LDAP_AUTHENTICATE procedure for Active Directory"
> from this list, and tried it as a great jumping-off point, but can't
> figure out quite how to use it in relation to how Oracle logs in its
> users.
> Metalink seems to take you into stray paths, and the SSO books around
> have to do with 10g, if it's even SSO I'm quite looking for. And Google
> seems to think I'm insane.
> 1) Is it even possible to use LDAP to authenticate Oracle users directly
> from Oracle? How would I go about doing this?
> 2) If this is possible, via some sort of login trigger or something,
> then is it possible to exclude specific users? We obviously don't want
> SYS or OP$ORACLE going through LDAP due to LDAP Failure making the
> database useless.
> Thank you in advance for all of your help, and thanks for all the ideas
> that this list has given me!
> --

-- Mark Brinsmead
   Staff DBA,
   The Pythian Group

Received on Wed Jul 05 2006 - 21:16:38 CDT

Original text of this message