Joel Garry wrote:
>Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1068147990.413220_at_yasure>...
>
>
>>Lasher wrote:
>>
>>
>>
>>>Hi,
>>>
>>>I have clients using an application that allows users to change their
>>>passwords. The application uses the 'ALTER USER xxx IDENTIFIED
>>>BY.....' command. What I need to do is use Oracle to capture the
>>>username and password and send the info to another Oracle instance on
>>>a different server and update that users password.
>>>
>>>Basically I need to keep the user's password in sync between two
>>>different databases.
>>>
>>>I also cannot change the application in anyway and therefore need to
>>>do this from the Oracle side.
>>>
>>>Any ideas would be great.........
>>>
>>>
>>>
>>>
>>Go to $ORACLE_HOME/rdmbs/admin
>>Look at the file utlpwdmg.sql
>>
>>If you have any business doing this you will be able to fill in the rest
>>of the picture.
>>
>>Personally I agree with Pete. This is nonsense and worse than nonsense a
>>huge violation
>>of any reasonable definition of system security. The OEM should fix the
>>problem. And
>>my advise to you would be not to do this. That it can be done doesn't
>>mean that it should
>>be done. The entire idea stinks.
>>
>>
>
>I'm not sure what is so wrong about this, at least using Pete's
>suggestion of Identified by Values in a non-public environment? It
>seems as reasonable as, say, copying /etc/passwd (or shadow
>equivalents) and user files to synchronize users on two identical
>servers.
>
>jg
>--
>@home.com is bogus.
>http://www.signonsandiego.com/news/metro/20031106-9999_2m6wage.html
>
>
My objection is that it would take me a matter of minutes to make myself
an account on another
machine on which I had no permissions. It is a hacker's delight.
--
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)
Received on Fri Nov 07 2003 - 00:21:09 CST
