Re: capture oracle pwd change in 3rd party application. help needed

Hi there.

Here is the situation.
An application was written to be used by a business department. Yes it would of been great if they properly coded their application to handle this. but they didn't and the owners don't want to pay the $$$$ to change it.

So, it falls to the DBA to fix it.

First off.
I am not creating accounts. The accounts are already there. If a person updates their password on one instances, I would like to use that to update the username/password (of that same user) on the other server/database.

No user can create an account on machine A, use the software to create an account on machine B. This user won't hack into the other machine and see sensitive info because they already have permissions to see anything they want. All I want to do is keep passwords in sync.

So,
I appreciate the advice but I am not interested in a lesson on proper protocol regarding security. I know things could be better but this is what I got and I am looking for a fix. I am pretty sure that there are plenty of DBA that are forced to cut corners in regards to security. Such is life.

Thanks in advance.

Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1068581190.656237_at_yasure>...
> Michael Gast wrote:
>
> >Hi Daniel,
> >
> >Daniel Morgan schrieb:
> >
> >
> >>Lasher wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>I have clients using an application that allows users to change their
> >>>passwords. The application uses the 'ALTER USER xxx IDENTIFIED
> >>>BY.....' command. What I need to do is use Oracle to capture the
> >>>username and password and send the info to another Oracle instance on
> >>>a different server and update that users password.
> >>>
> >>>Basically I need to keep the user's password in sync between two
> >>>different databases.
> >>>
> >>>I also cannot change the application in anyway and therefore need to
> >>>do this from the Oracle side.
> >>>
> >>>Any ideas would be great.........
> >>>
> >>>
> >>>
> >>>
> >>Go to $ORACLE_HOME/rdmbs/admin
> >>Look at the file utlpwdmg.sql
> >>
> >>If you have any business doing this you will be able to fill in the rest
> >>of the picture.
> >>
> >>Personally I agree with Pete. This is nonsense and worse than nonsense a
> >>huge violation
> >>of any reasonable definition of system security. The OEM should fix the
> >>problem. And
> >>my advise to you would be not to do this. That it can be done doesn't
> >>mean that it should
> >>be done. The entire idea stinks.
> >>
> >>
> >
> >I agree with you. The idea stinks. I addition, i'm not covinced that
> >"Lasher" is "Mr. Lasher's" true name.
> >
> >But let us assume "Mr. Lasher" has a valid problem and does not want to
> >crack the DB. Could a possible solution be to realize a server sided
> >single sign on to multiple databases? I'm not a specialist for Oracle
> >security, but i've read in the "Security Overview" and the "Advanced
> >Security Administrators Guide" manuals from Oracle that this could be
> >done.I assume, this is not a crack and could be a usable solution for
> >"Mr. Lasher's" problem if he does not want to crack the DB.
> >
> >
> >
> Lots of things are possible. And the reason I am so suspicious is that
> if this architecture is required
> by a commercial app then the app's developers, resellers, and other
> customers would have already
> confronted and dealt with this issue.
>
> As it it not credible that the company selling the app doesn't have a
> solution the only logical
> conclusion is that the premise is a fabrication.
>
> --
> Daniel Morgan
> http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
> http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
> damorgan_at_x.washington.edu
> (replace 'x' with a 'u' to reply)
>
>
> --
Received on Thu Nov 20 2003 - 09:57:18 CST