Re: Client Logins with Proxy

Robert Born <ststrmb_at_sugarland.unocal.com> wrote:

>Ed Jennings wrote:
>>
>> I've gone to proxy logins for some applications, but now I can't
>> use windows based tools to login to Oracle because they are unable
>> to pass the slash as the login id. I've heard that there is a
>> windows env variable that I can set to get around this. Does anyone
>> know how to solve this problem?
>Ed,
 

>I assume by proxy logons you mean the users are "identified externally"
>to Oracle. Here is some good news and some bad news. Assuming you have
>a user FRED created on your server, the following line in Fred's
>oracle.ini file should get him in without a slash:
 

>USERNAME=FRED
 
>Now for the bad news. By changing this entry Fred can get in as anybody
>he wants to be. This is why Oracle Support won't tell you how to do it.
>If you have an externally validated user with DBA privilege, Fred or
>anyone with SQL*Net installed can pop in and do anything they want.
 

>I have been experimenting with this using Server Manager on the PC with
>SQL*Net 2.2 and several Oracle instances on Sun servers. Now that I
>have discovered this, we may have to either abandon proxy logins or buy
>Oracle's Secure Network Services.

FYI -         Secure Network Services does NOT solve this problem alone. SNS provides authentication adapter hooks so that you can use things like Kerberos or Smartcards to authenticate users. So in ADDITION to SNS, you need Kerberos or a supported smart card product and all the baggage that is required on the PC to support them. From what I hear it's not a pretty picture.

                                Dave Trahan
Dave Trahan
dtrahan_at_ultranet.com Received on Mon Mar 11 1996 - 00:00:00 CET