Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OS_AUTHENT + LDAP

Re: OS_AUTHENT + LDAP

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 24 Jul 2003 20:00:29 +0100
Message-ID: <nRj1ZfBNzCI$EwAQ@peterfinnigan.demon.co.uk> 





Hi Markus,



beware that setting os_roles and remote_os_roles will allow the os to
manage the users roles rather than the database. When a user creates a
session the users security domain is initialised using roles from the
OS. The OS then manages roles not the database. any roles created in the
database are ignored and any attempt to revoked roles granted by the OS
are also ignored. 



There is a security risk with this in that an untrusted client could be
used to enable roles to spoof privileges in the database. Also if you
intend to use Roles within the database for non ldap users you will have
to control all users roles from the OS if you use these parameters.



This might not help your issue but you should be aware of this. 



hth



kind regards



Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.


Received on Thu Jul 24 2003 - 14:00:29 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US