Re: Database authentication and Active Directory
Date: Tue, 21 Dec 2010 17:52:01 +0200
Message-ID: <OFE4B7FB10.374C4580-ONC2257800.0055B316-C2257800.00572953_at_seb.lt>
right.
ok then, it only means Oracle feels authentication in the middle tire era is not important any more...
if the question is to authenticate developers/testers/app dba's then probably other means can be employed: database LOGON and DDL triggers are a powerfull tool.
The fact is that in today's pooled connection apps connecting into db with
individual user is not actually supported. Applications have a varity of
triggers and views that assume you are connected as a schema owner (oh,
yeah, a terrible thought for a classical DBA but this is what we get
installed today. DBA privilege to schema user and web app connecting to
this same user is not uncommon)
For example, what we find in our evnvironemnt is that apps keep their
passwords plain text. Even if they are encrypted guess if it is not a
primitive XOR...
What we employ now is DB level LOGON triggers that allows only particular
OS user/IP address/executable to connect to app schemas. BTW, I believe
Oracle 11g has some infrastucture that does exactly this.
The question is if in a Standard edition a combination of db triggers and
basic audit can let OS authenticated developer work safely connected into
app schemas directly.
DDL definetely can be catched and prevented. The question if DML can be
effetively tracked/prevented.
Please consider the environment before printing this e-mail
Niall Litchfield
<niall.litchfield
_at_gmail.com> To
Sent by: Laimutis.Nedzinskas_at_seb.lt
oracle-l-bounce_at_f cc
reelists.org s.cislaghi_at_gmail.com, Oracle L
<oracle-l_at_freelists.org>,
oracle-l-bounce_at_freelists.org
2010.12.21 13:32 Subject
Re: Database authentication and
Active Directory
Please respond to
niall.litchfield_at_
gmail.com
Kerberos authentication of users requires the Advanced Security Option which in turn requires EE.
On Tue, Dec 21, 2010 at 10:47 AM, <Laimutis.Nedzinskas_at_seb.lt> wrote:.
Kerberos is your answer.
Metalink and oracle has notes. And yes, it even works, done that
myself.
You login like that in SQLNav, Oracle Forms, sqlplus:
connect /
That's it.
Then oracle works just "like MS SQL server" as one PM asked Oracle
consultant after he(consultant) talked for 1h or so about Oracle
acquisitions (this keyword was by far the TOP1 word during his
otherwise
clever speech) regarding "Identity Management", about 3 or 5 separate
"acquired" products needed for that (and licensed separately too)
Truly speaking, Oracle does not work exactly like MS SQL Server: you
still
have to create users, privileges, roles, etc, etc. But authentication
burden is taken off, that;'s true.
---------------------------------------------------------------------------------
Please consider the environment before printing this e-mail
Stefano Cislaghi
<s.cislaghi_at_gmail
.com>
To
Sent by: Oracle L <
oracle-l_at_freelists.org>
oracle-l-bounce_at_f
cc
reelists.org
Subject
Database authentication and
Active
2010.12.20 23:22 Directory
Please respond to
s.cislaghi_at_gmail.
com
Hi all,
I'm looking around to check if there's a solution that does not force
me to buy Oracle Internet Directory. Problem is rather simple, I want
to authenticate my database user against active directory.
This want to say that user are phisically present in database and
only
password verification is done in active directory. Grants, roles and
other properties are stored in database server.
Users should be able to connect to database either from their own
workstation with applications similar to SQLDeveloper and from third
parties applications that does not reside on user workstation (maybe
oracle BI).
Metalink has no valid solution and also administrator guide does not
provide any interesting hint. Database is 11.2 .
OID is another expensive product I'm not able to buy today.
Thanks
Ste
--
http://www.stefanocislaghi.eu
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-lReceived on Tue Dec 21 2010 - 09:52:01 CST