Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE : RE: Database access using LDAP Authentication

RE : RE: Database access using LDAP Authentication

From: Marius Raicu <mariu200_at_yahoo.com>
Date: Wed, 12 Jul 2006 16:45:39 +0200 (CEST)
Message-ID: <20060712144539.8470.qmail@web55313.mail.re4.yahoo.com>


Hi,
You can query an LDAP server from oracle stored procedures by example, using DBMS_LDAP. I haven't done it from logon triggers, hovewer, I assume it should be possible somehow...But I think this is the hardest method to authenticate oracle users.An if you have 40+ databases, why not LDAP-authenticate the access to the applications using these databases instead of creating a hard dependence between ldap and oracle databases.

Regards,

"Jesse, Rich" <Rich.Jesse_at_qg.com> a écrit : Yep, as Mark mentioned, what you want to do isn't cheap in the Oracle World. Perhaps you could start here for a primer:

http://download-east.oracle.com/docs/cd/B10501_01/network.920/a96582/galsyste.htm#1017957

While I haven't played with this aspect of LDAP in Oracle (currently implementing network Naming in LDAP), I would think that you wouldn't necessarily need the Wallets, Enterprise Login, and all the SSO stuff. Just the expensive licensing. And, funny, but I don't see the Enterprise Edition as being needed for LDAP naming, but I could be wrong.

Also, I believe the LDAP naming is on a user-by-user basis. In other words, you could setup the SYSTEM account on each of your 40 DBs with your standard local passwords, but have a "HR" account in each that uses LDAP authentication, or have some "HR" accounts LDAP and some local. No triggers are needed -- look up the "CREATE USER" command, specifically the "IDENTIFIED GLOBALLY" clause.

In a nutshell, you've got quite a task on your hands. Have fun learning!

Rich  

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] Sent: Wednesday, July 05, 2006 12:48 PM To: oracle-l
Subject: Database access using LDAP Authentication

All:

Jr. DBA here looking for a little help on a project she's been given. Any thoughts & ideas you have are greatly appreciated.

THE SITUATION:
After Collaborate06, I suggested to our managers that we use Profiles on our 40+ databases for added security. After some hemming & hawing, security group agreed, and we began to put Profile Plans into motion. At this time the department realized that if they had a direct Database account, they would have to change their password, which meant in some circumstances, on all 40 databases. This caused some grumbling, but it wasn't too bad.

At this time the head of Systems said 1 word to the head DBA that would simultaneously make all the profile research instantly trash and my life hell: LDAP.

Yes, he wants us to have oracle use LDAP for it's user/schema authentication.

SYSTEMS:
Oracle 9.2.0.6
LDAP v3 (not Oracle's LDAP)
All 40+ databases & 2 LDAPs are on different Unix boxes.

EXAMPLE OF WANTED RESULTS:
To make sure I am not being difficult, here's the prime example: 1) I open SQLPLUS and type in my Oracle Userid & password (scott/tiger).

2) Oracle then somehow takes the userid & password to a centralized LDAP.
3) LDAP replies with either: "Yep, that's right" or "No, reject session".
4) Oracle then allows access (depending on LDAP's response), and uses it's the users role/sys/tab privs to say what that user has access to.

RESEARCH:
I have seen where you can authenticate through an htmldb app using the DBMS_LDAP package, but we're not going through a 3rd party app, nor do I think a login server is quite what we're looking for here, but maybe this is how it has to be done?

I saw the wonderful "LDAP_AUTHENTICATE procedure for Active Directory" from this list, and tried it as a great jumping-off point, but can't figure out quite how to use it in relation to how Oracle logs in its users.

Metalink seems to take you into stray paths, and the SSO books around have to do with 10g, if it's even SSO I'm quite looking for. And Google seems to think I'm insane.

QUESTIONS:
1) Is it even possible to use LDAP to authenticate Oracle users directly from Oracle? How would I go about doing this?

2) If this is possible, via some sort of login trigger or something, then is it possible to exclude specific users? We obviously don't want SYS or OP$ORACLE going through LDAP due to LDAP Failure making the database useless.

Thank you in advance for all of your help, and thanks for all the ideas that this list has given me!
--

http://www.freelists.org/webpage/oracle-l

Regards,
Marius                  



 Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
--

http://www.freelists.org/webpage/oracle-l Received on Wed Jul 12 2006 - 09:45:39 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US