Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: capture oracle pwd change in 3rd party application. help needed

Re: capture oracle pwd change in 3rd party application. help needed

From: Joel Garry <joel-garry_at_home.com>
Date: 12 Nov 2003 17:19:11 -0800
Message-ID: <91884734.0311121719.3bbffdb3@posting.google.com>


Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1068581190.656237_at_yasure>...
> Michael Gast wrote:
>
> >Hi Daniel,
> >
> >Daniel Morgan schrieb:
> >
> >
> >>Lasher wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>I have clients using an application that allows users to change their
> >>>passwords. The application uses the 'ALTER USER xxx IDENTIFIED
> >>>BY.....' command. What I need to do is use Oracle to capture the
> >>>username and password and send the info to another Oracle instance on
> >>>a different server and update that users password.
> >>>
> >>>Basically I need to keep the user's password in sync between two
> >>>different databases.
> >>>
> >>>I also cannot change the application in anyway and therefore need to
> >>>do this from the Oracle side.
> >>>
> >>>Any ideas would be great.........
> >>>
> >>>
> >>>
> >>>
> >>Go to $ORACLE_HOME/rdmbs/admin
> >>Look at the file utlpwdmg.sql
> >>
> >>If you have any business doing this you will be able to fill in the rest
> >>of the picture.
> >>
> >>Personally I agree with Pete. This is nonsense and worse than nonsense a
> >>huge violation
> >>of any reasonable definition of system security. The OEM should fix the
> >>problem. And
> >>my advise to you would be not to do this. That it can be done doesn't
> >>mean that it should
> >>be done. The entire idea stinks.
> >>
> >>
> >
> >I agree with you. The idea stinks. I addition, i'm not covinced that
> >"Lasher" is "Mr. Lasher's" true name.
> >
> >But let us assume "Mr. Lasher" has a valid problem and does not want to
> >crack the DB. Could a possible solution be to realize a server sided
> >single sign on to multiple databases? I'm not a specialist for Oracle
> >security, but i've read in the "Security Overview" and the "Advanced
> >Security Administrators Guide" manuals from Oracle that this could be
> >done.I assume, this is not a crack and could be a usable solution for
> >"Mr. Lasher's" problem if he does not want to crack the DB.
> >
> >
> >
> Lots of things are possible. And the reason I am so suspicious is that
> if this architecture is required
> by a commercial app then the app's developers, resellers, and other
> customers would have already
> confronted and dealt with this issue.
>
> As it it not credible that the company selling the app doesn't have a
> solution the only logical
> conclusion is that the premise is a fabrication.

The situation I've seen is someone wants a reporting instance to keep the production instance unaffected, refreshes are periodic, they want to use the vendor tool to access the db. So if the user changes his own password in the app, how do you sync between refreshes? Like I posted earlier, it always wound up being "wait for the refresh or make the admin get involved," but I can still see where someone might legitimately want it. And I do agree with your suspicions, too, but it is not the only logical conclusion.

jg

--
@home.com is bogus.
http://zdnet.com.com/2100-1104_2-5106450.html
Received on Wed Nov 12 2003 - 19:19:11 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US