Re: Database authentication and Active Directory
Date: Tue, 21 Dec 2010 17:52:01 +0200
Message-ID: <OFE4B7FB10.374C4580-ONC2257800.0055B316-C2257800.00572953_at_seb.lt>
right.
ok then, it only means Oracle feels authentication in the middle tire era is not important any more...
if the question is to authenticate developers/testers/app dba's then probably other means can be employed: database LOGON and DDL triggers are a powerfull tool.
The fact is that in today's pooled connection apps connecting into db with
individual user is not actually supported. Applications have a varity of
triggers and views that assume you are connected as a schema owner (oh,
yeah, a terrible thought for a classical DBA but this is what we get
installed today. DBA privilege to schema user and web app connecting to
this same user is not uncommon)
For example, what we find in our evnvironemnt is that apps keep their
passwords plain text. Even if they are encrypted guess if it is not a
primitive XOR...
What we employ now is DB level LOGON triggers that allows only particular
OS user/IP address/executable to connect to app schemas. BTW, I believe
Oracle 11g has some infrastucture that does exactly this.
The question is if in a Standard edition a combination of db triggers and
basic audit can let OS authenticated developer work safely connected into
app schemas directly.
DDL definetely can be catched and prevented. The question if DML can be
effetively tracked/prevented.
Please consider the environment before printing this e-mail
Niall Litchfield <niall.litchfield _at_gmail.com> To Sent by: Laimutis.Nedzinskas_at_seb.lt oracle-l-bounce_at_f cc reelists.org s.cislaghi_at_gmail.com, Oracle L <oracle-l_at_freelists.org>, oracle-l-bounce_at_freelists.org 2010.12.21 13:32 Subject Re: Database authentication and Active Directory Please respond to niall.litchfield_at_ gmail.com
Kerberos authentication of users requires the Advanced Security Option which in turn requires EE.
On Tue, Dec 21, 2010 at 10:47 AM, <Laimutis.Nedzinskas_at_seb.lt> wrote:.
Kerberos is your answer.
Metalink and oracle has notes. And yes, it even works, done that myself. You login like that in SQLNav, Oracle Forms, sqlplus:
connect /
That's it. Then oracle works just "like MS SQL server" as one PM asked Oracle consultant after he(consultant) talked for 1h or so about Oracle acquisitions (this keyword was by far the TOP1 word during his otherwise clever speech) regarding "Identity Management", about 3 or 5 separate "acquired" products needed for that (and licensed separately too) Truly speaking, Oracle does not work exactly like MS SQL Server: you still have to create users, privileges, roles, etc, etc. But authentication burden is taken off, that;'s true. --------------------------------------------------------------------------------- Please consider the environment before printing this e-mail
Stefano Cislaghi
<s.cislaghi_at_gmail
.com>
To
Sent by: Oracle L <
oracle-l_at_freelists.org>
oracle-l-bounce_at_f
cc
reelists.org
Subject
Database authentication and
Active
2010.12.20 23:22 Directory
Please respond to
s.cislaghi_at_gmail.
com
Hi all, I'm looking around to check if there's a solution that does not force me to buy Oracle Internet Directory. Problem is rather simple, I want to authenticate my database user against active directory. This want to say that user are phisically present in database and only password verification is done in active directory. Grants, roles and other properties are stored in database server. Users should be able to connect to database either from their own workstation with applications similar to SQLDeveloper and from third parties applications that does not reside on user workstation (maybe oracle BI). Metalink has no valid solution and also administrator guide does not provide any interesting hint. Database is 11.2 . OID is another expensive product I'm not able to buy today. Thanks Ste -- http://www.stefanocislaghi.eu -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-lReceived on Tue Dec 21 2010 - 09:52:01 CST