Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: capture oracle pwd change in 3rd party application. help needed
Lasher wrote:
> Hi there.
>
> Here is the situation.
> An application was written to be used by a business department.
> Yes it would of been great if they properly coded their application to
> handle this. but they didn't and the owners don't want to pay the $$$$
> to change it.
>
> So, it falls to the DBA to fix it.
>
> First off.
> I am not creating accounts. The accounts are already there. If a
> person updates their password on one instances, I would like to use
> that to update the username/password (of that same user) on the other
> server/database.
>
> No user can create an account on machine A, use the software to create
> an account on machine B. This user won't hack into the other machine
> and see sensitive info because they already have permissions to see
> anything they want. All I want to do is keep passwords in sync.
>
> So,
> I appreciate the advice but I am not interested in a lesson on proper
> protocol regarding security. I know things could be better but this is
> what I got and I am looking for a fix. I am pretty sure that there are
> plenty of DBA that are forced to cut corners in regards to security.
> Such is life.
>
> Thanks in advance.
>
>
> Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1068581190.656237_at_yasure>...
>
>>Michael Gast wrote: >> >> >>>Hi Daniel, >>> >>>Daniel Morgan schrieb: >>> >>> >>> >>>>Lasher wrote: >>>> >>>> >>>> >>>> >>>>>Hi, >>>>> >>>>>I have clients using an application that allows users to change their >>>>>passwords. The application uses the 'ALTER USER xxx IDENTIFIED >>>>>BY.....' command. What I need to do is use Oracle to capture the >>>>>username and password and send the info to another Oracle instance on >>>>>a different server and update that users password. >>>>> >>>>>Basically I need to keep the user's password in sync between two >>>>>different databases. >>>>> >>>>>I also cannot change the application in anyway and therefore need to >>>>>do this from the Oracle side. >>>>> >>>>>Any ideas would be great......... >>>>> >>>>> >>>>> >>>>> >>>> >>>>Go to $ORACLE_HOME/rdmbs/admin >>>>Look at the file utlpwdmg.sql >>>> >>>>If you have any business doing this you will be able to fill in the rest >>>>of the picture. >>>> >>>>Personally I agree with Pete. This is nonsense and worse than nonsense a >>>>huge violation >>>>of any reasonable definition of system security. The OEM should fix the >>>>problem. And >>>>my advise to you would be not to do this. That it can be done doesn't >>>>mean that it should >>>>be done. The entire idea stinks. >>>> >>>> >>> >>>I agree with you. The idea stinks. I addition, i'm not covinced that >>>"Lasher" is "Mr. Lasher's" true name. >>> >>>But let us assume "Mr. Lasher" has a valid problem and does not want to >>>crack the DB. Could a possible solution be to realize a server sided >>>single sign on to multiple databases? I'm not a specialist for Oracle >>>security, but i've read in the "Security Overview" and the "Advanced >>>Security Administrators Guide" manuals from Oracle that this could be >>>done.I assume, this is not a crack and could be a usable solution for >>>"Mr. Lasher's" problem if he does not want to crack the DB. >>> >>> >>> >> >>Lots of things are possible. And the reason I am so suspicious is that >>if this architecture is required >>by a commercial app then the app's developers, resellers, and other >>customers would have already >>confronted and dealt with this issue. >> >>As it it not credible that the company selling the app doesn't have a >>solution the only logical >>conclusion is that the premise is a fabrication. >> >>-- >>Daniel Morgan >>http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp >>http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp >>damorgan_at_x.washington.edu >>(replace 'x' with a 'u' to reply) >> >> >>--
-- Regards, Frank van BortelReceived on Thu Nov 20 2003 - 14:43:02 CST