Re: OS authentication question

From: Frank van Bortel <>
Date: Thu, 17 Jan 2008 11:36:54 +0100
Message-ID: <cda09$478f2fc6$524b5c40$>

GS wrote:
> bdbafh wrote:

>> On Jan 16, 4:23 pm, GS <> wrote:
>>> Database is running on W2K server, clients are windows xp pro
>>> running 9i client.
>>> We've not used OS authentication here for any databases yet, so this is
>>> relatively new to me. To make our SOX compliance easier we are thinking
>>> about going to OS authentication for a lot of our app's that run on
>>> Oracle databases, since our network passwords are now very stringent and
>>> the beancounters are saying the database passwords need to meet the same
>>> criteria, but if the users connect with the complex OS password then we
>>> are ok.
>>> So, on a test database I created a login for myself with the following:
>>> create user "ops$my_domain\my_network_username" identified externally;
>>> grant connect, create session et. to the new user (me)
>>> I enter "sqlplus /nolog" then "connect / @testdb" and I am in with no
>>> password, as expected. So far so good, so I take an existing user in the
>>> test database, and from EOM I highlight this user and choose create like
>>> so he will have the correct roles etc., then add
>>> "ops$my_domain\his_domain_username" in the database. We try from his
>>> machine to connect via sqlplus the same way I did, and I am getting
>>> invalid username/password errors. I double checked the new username I
>>> created for him and all looks fine.
>>> The servers sqlnet.ora file has SQLNET.AUTHENTICATION_SERVICES= (NTS), I
>>> thought I might need that on the client side too but my machine is
>>> SQLNET.AUTHENTICATION_SERVICES= (NONE) and I can connect ok. I am on my
>>> way back over to check his sqlnet.ora file, but is there something else
>>> I am missing here?
>>> thanks in advance
>> One could use an LDAP server for authenticating via the operating
>> system, such as MS Active Directory.
>> Assuming that you're running Oracle Standard Edition (or Standard
>> Edition One), try running the cost of an upgrade of the existing
>> database server licenses to Enterprise Edition with the Advanced
>> Networking Option (or is it the Advanced Security Option) at 50K USD
>> per cpu.
>> If you're running on a quad core, dual cpu box that will run around
>> 200K USD plus annual support and maintenance will scale accordingly.
>> Float a (list) cost of 300K per database server over a 5 year period
>> at the bean counters and watch them change their tune.
>> Unfunded mandates can be fun.
>> -bdbafh

> I was actually thinking about using either Active Directory or OID
> (which I use for names resolution only right now) for this, but first
> want to get my head wrapped around the in's & outs of basic OS
> Authentication first..

Where you are using OID for now, it's usage is free. Not so when you plan to use it for authentication and/or authorization.
> We are on Enterprise edition right now, but afaik we don't have the
> advanced security option licensed.

You do not need the Advanced Sucurity license: "If you wish to use Enterprise User Security in Oracle Database Enterprise Edition, you no longer need to license the Oracle Advanced Security Option for password-based authentication. However, you must license Oracle Internet Directory (OID). If you wish to use stronger authentication alternatives (such as Kerberos or PKI) for Enterprise User Security, you must license Oracle Advanced Security and the Oracle Internet Directory (OID)."

From the Adv Sec license information page:

The bean-counters are external and
> they did the findings and are doing the test audit, and they could care
> less about cost, additional manpower etc. The more I talk to different
> DBA's about what they had to do to meet compliance compared to what we
> have had to do, the more jaded I am towards this whole process. One of
> their first findings in fact, was that NO ONE should have table level
> access to any database, period. When my boss pointed out (as nice as he
> could)that table level access to a database was part of a DBA's job,
> they came back with a process where I would formally fill out a form
> each time I went into a database as sys or system that he would approve,
> then he would come and watch me while I was in as sys or system until I
> was done, to be repeated again the next time, etc. I kid you not. (they
> eventually backed off on this after a lengthy string of "colorful
> metaphors" from my boss)

Yup, sounds familiar. DBA Vault is yet an extra option... But seriously, there is nowhere written that no-one should have table level access, just that is should not go unnoticed. That means logging.
> Anyway, that's OT and a topic by itself, whether we go to OS credential
> logons or not, it is a good chance for me to get to know all of the in's
> & out's of this as well as how the OID/AD scenario can be used here.
> cheers!

I've been blogging about OID and AD syncing and Enterprise security.


Frank van Bortel

Top-posting in UseNet newsgroups is one way to shut me up
Received on Thu Jan 17 2008 - 04:36:54 CST

Original text of this message