Re: How to login to Oracle using Active Directory Account
From: Frank van Bortel <fbortel_at_home.nl>
Date: Tue, 15 Jun 2010 21:33:39 +0200
Message-ID: <47f6b$4c17d599$524ba3af$31958_at_cache6.tilbu1.nb.home.nl>
On 06/11/2010 05:30 PM, Michel Cadot wrote:
> "BicycleRepairman"<engel.kevin_at_gmail.com> a écrit dans le message de news:
> fe32dbbb-cfc3-44e8-9c02-bbeadeafcdfe_at_c10g2000yqi.googlegroups.com...
> On Jun 11, 7:42 am, kkausu<kka..._at_googlemail.com> wrote:
>> Hi Rob,
>>
>> I work in a school. In the last years we created usersaccounts for the
>> students in our Oracle DB.
>> Now we have a Active Directory (Windows Server 2008) and a Oracle
>> Server on a Windows 2008 Server.
>> I don't want to create account in AD and Oracle. Is there a easy way
>> to configure Oracle to use the AD for authentication?
>> Some software-products can use LDAP or RADIUS to authenticate a user
>> on AD before access the software.
>>
>> I read some documents about oracle SSO, OVD and OIM but I think I
>> don't need this big products?! In postgres for example you to
>> configure a few lines.
>>
>> I don't wont to administrate the user in 2 directorys (AD and oracle).
>> The user should login in oracle and oracle should ask the AD - ready.
>>
>> Is this posible???
>>
>> Thanks
>> kati
>
> You can't (easily) get rid of the requirement to have a user account
> in oracle to which the user logs in, but you can use Windows native
> authentication to make the management burden of users/groups/roles and
> rights pretty easy.
> Rob's description is correct, although you'll probably find it easier
> to set the
> os_authent_prefix=""
> and create the users as
> create user mydomain/myuser identified externally;
> You can make this very easy with the Oracle Admin Assistant for
> Windows, which will let you create the users in bulk based on an AD
> role, and you can use AD roles to permit/restrict oracle permissions.
> Bottom line -- you can do this with the tools Oracle's bundled with
> the system, you don't need anything special, and there's very little
> management overhead if you play your cards right.
>
> --------------------------------------
>
> Once again, you can do it using OVD to authenticate on database
> WITHOUT having an account on the database.
>
> Once again, you can't do it without using OVD, if you want to use
> a ldap, and adding some Oracle specific extensions.
> It is possible (but not recommended) to directly use AD but you
> can't omit the Oracle extensions.
>
>
> Regards
> Michel
>
>
And the previous options only work for Oracle on MS Windows. Michel offers a generic solution.
Date: Tue, 15 Jun 2010 21:33:39 +0200
Message-ID: <47f6b$4c17d599$524ba3af$31958_at_cache6.tilbu1.nb.home.nl>
On 06/11/2010 05:30 PM, Michel Cadot wrote:
> "BicycleRepairman"<engel.kevin_at_gmail.com> a écrit dans le message de news:
> fe32dbbb-cfc3-44e8-9c02-bbeadeafcdfe_at_c10g2000yqi.googlegroups.com...
> On Jun 11, 7:42 am, kkausu<kka..._at_googlemail.com> wrote:
>> Hi Rob,
>>
>> I work in a school. In the last years we created usersaccounts for the
>> students in our Oracle DB.
>> Now we have a Active Directory (Windows Server 2008) and a Oracle
>> Server on a Windows 2008 Server.
>> I don't want to create account in AD and Oracle. Is there a easy way
>> to configure Oracle to use the AD for authentication?
>> Some software-products can use LDAP or RADIUS to authenticate a user
>> on AD before access the software.
>>
>> I read some documents about oracle SSO, OVD and OIM but I think I
>> don't need this big products?! In postgres for example you to
>> configure a few lines.
>>
>> I don't wont to administrate the user in 2 directorys (AD and oracle).
>> The user should login in oracle and oracle should ask the AD - ready.
>>
>> Is this posible???
>>
>> Thanks
>> kati
>
> You can't (easily) get rid of the requirement to have a user account
> in oracle to which the user logs in, but you can use Windows native
> authentication to make the management burden of users/groups/roles and
> rights pretty easy.
> Rob's description is correct, although you'll probably find it easier
> to set the
> os_authent_prefix=""
> and create the users as
> create user mydomain/myuser identified externally;
> You can make this very easy with the Oracle Admin Assistant for
> Windows, which will let you create the users in bulk based on an AD
> role, and you can use AD roles to permit/restrict oracle permissions.
> Bottom line -- you can do this with the tools Oracle's bundled with
> the system, you don't need anything special, and there's very little
> management overhead if you play your cards right.
>
> --------------------------------------
>
> Once again, you can do it using OVD to authenticate on database
> WITHOUT having an account on the database.
>
> Once again, you can't do it without using OVD, if you want to use
> a ldap, and adding some Oracle specific extensions.
> It is possible (but not recommended) to directly use AD but you
> can't omit the Oracle extensions.
>
>
> Regards
> Michel
>
>
And the previous options only work for Oracle on MS Windows. Michel offers a generic solution.
-- Regards, Frank van BortelReceived on Tue Jun 15 2010 - 14:33:39 CDT