Lasher wrote:
> Hi there.
>
> Here is the situation.
> An application was written to be used by a business department.
> Yes it would of been great if they properly coded their application to
> handle this. but they didn't and the owners don't want to pay the $$$$
> to change it.
>
> So, it falls to the DBA to fix it.
>
> First off.
> I am not creating accounts. The accounts are already there. If a
> person updates their password on one instances, I would like to use
> that to update the username/password (of that same user) on the other
> server/database.
>
> No user can create an account on machine A, use the software to create
> an account on machine B. This user won't hack into the other machine
> and see sensitive info because they already have permissions to see
> anything they want. All I want to do is keep passwords in sync.
>
> So,
> I appreciate the advice but I am not interested in a lesson on proper
> protocol regarding security. I know things could be better but this is
> what I got and I am looking for a fix. I am pretty sure that there are
> plenty of DBA that are forced to cut corners in regards to security.
> Such is life.
>
> Thanks in advance.
>
>
> Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1068581190.656237_at_yasure>...
>
>>Michael Gast wrote:
>>
>>
>>>Hi Daniel,
>>>
>>>Daniel Morgan schrieb:
>>>
>>>
>>>
>>>>Lasher wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>Hi,
>>>>>
>>>>>I have clients using an application that allows users to change their
>>>>>passwords. The application uses the 'ALTER USER xxx IDENTIFIED
>>>>>BY.....' command. What I need to do is use Oracle to capture the
>>>>>username and password and send the info to another Oracle instance on
>>>>>a different server and update that users password.
>>>>>
>>>>>Basically I need to keep the user's password in sync between two
>>>>>different databases.
>>>>>
>>>>>I also cannot change the application in anyway and therefore need to
>>>>>do this from the Oracle side.
>>>>>
>>>>>Any ideas would be great.........
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>Go to $ORACLE_HOME/rdmbs/admin
>>>>Look at the file utlpwdmg.sql
>>>>
>>>>If you have any business doing this you will be able to fill in the rest
>>>>of the picture.
>>>>
>>>>Personally I agree with Pete. This is nonsense and worse than nonsense a
>>>>huge violation
>>>>of any reasonable definition of system security. The OEM should fix the
>>>>problem. And
>>>>my advise to you would be not to do this. That it can be done doesn't
>>>>mean that it should
>>>>be done. The entire idea stinks.
>>>>
>>>>
>>>
>>>I agree with you. The idea stinks. I addition, i'm not covinced that
>>>"Lasher" is "Mr. Lasher's" true name.
>>>
>>>But let us assume "Mr. Lasher" has a valid problem and does not want to
>>>crack the DB. Could a possible solution be to realize a server sided
>>>single sign on to multiple databases? I'm not a specialist for Oracle
>>>security, but i've read in the "Security Overview" and the "Advanced
>>>Security Administrators Guide" manuals from Oracle that this could be
>>>done.I assume, this is not a crack and could be a usable solution for
>>>"Mr. Lasher's" problem if he does not want to crack the DB.
>>>
>>>
>>>
>>
>>Lots of things are possible. And the reason I am so suspicious is that
>>if this architecture is required
>>by a commercial app then the app's developers, resellers, and other
>>customers would have already
>>confronted and dealt with this issue.
>>
>>As it it not credible that the company selling the app doesn't have a
>>solution the only logical
>>conclusion is that the premise is a fabrication.
>>
>>--
>>Daniel Morgan
>>http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
>>http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
>>damorgan_at_x.washington.edu
>>(replace 'x' with a 'u' to reply)
>>
>>
>>--
Any reason you do not want to use the
alter user xxx indetified by values '.....'; approach?
--
Regards, Frank van Bortel
Received on Thu Nov 20 2003 - 14:43:02 CST
