Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Auth via Active Directory

Auth via Active Directory

From: Scott Lamb <slamb_at_slamb.org>
Date: Fri, 15 Aug 2003 15:49:23 -0800
Message-ID: <F001.005CAF53.20030815154923@fatcity.com>


Is there any way to get Oracle 8i (or 9i; we're planning to upgrade) Enterprise Edition to authenticate against Active Directory, short of buying Oracle Advanced Security?

My goal is to remove the need to maintain a separate database of passwords. Ideally, we could do also do away with having the database users enter passwords by handling Kerberos tickets, but I'd be happy with them just entering the same password they enter to login to Windows. And if we still need to manually add/remove users, that's okay, too. (We'd probably want to, anyway; not everyone in the domain should have an Oracle account.)

In my fantasy world, authentication would all be done through a function that I could modify. Then I could just create my users with something like:

     create user "DOMAIN\USER" identified externally;

as you would for OS$ authentication and then do something vaguely like:

     create or replace function system.my_authenticate_user (
         p_username      in varchar,
         p_password      in varchar
     ) return boolean as

         v_usertype      varchar2(30);
         v_session       dbms_ldap.session;

     begin
         select    authtype
         from      dba_users
         where     username = p_username;

         if authtype = 'EXTERNAL' then
             v_session := dbms_ldap.init('my-domain-controller', 389);
             return dbms_ldap.simple_bind_s(v_session, p_username,
                                            p_password);
         end if;

         return standard_authenticate_user(p_username, p_password);

     exception
     when no_data_found
         return false;
     end;
     /
     show errors

but I'm not aware of any such hook. There are logon triggers, but just of the after type, not "instead of". ("create trigger ... after logon on database" or something, for audit trails, I think.)

Does anything like this exist? Or is there another way, however convoluted?

Thanks,
Scott Lamb

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Scott Lamb
  INET: slamb_at_slamb.org

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Fri Aug 15 2003 - 18:49:23 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US