| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Auth via Active Directory
It is more complex then this.
AFAIK, this will work with another LDAP, like AD.
We are working with windows domains, so it will not work.
Yechiel Adar
Mehish
----- Original Message -----
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
Sent: Tuesday, August 19, 2003 4:14 PM
> You should use "identified globally" when creating users. That will
consult
> the authentication services
> and will change password in Kerberos or Novell directly.
>
> --
> Mladen Gogala
> Oracle DBA
>
>
>
> -----Original Message-----
> Yechiel Adar
> Sent: Tuesday, August 19, 2003 5:59 AM
> To: Multiple recipients of list ORACLE-L
>
>
> I am in the middle of implementing Oracle Advance Security. Finished the
> initial testing and on the way to implement a test case. On the way I
found
> out that you need Oracle Advance Security for this.
>
> There is a problem that you need to address: How you synchronize the
> passwords when user change his password? Say David get to work in the
> morning and his password expired and he change it. Now a DBA must change
the
> password in OID to allow him to logon with the new password. That's means
> that the DBA know al the passwords of all the users. BIG security breach.
> Also a lot of work for the DBA or the security administrator.
>
> We use Novell now and there is a product that do the work.
> It will send to OID the new password and also add or delete users as
changes
> are applied in Novell.
>
> You still have to give permissions, via global rules, to the users so that
> adding a user does NOT let him access Oracle.
>
> Yechiel Adar
> Mehish
> ----- Original Message -----
> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> Sent: Saturday, August 16, 2003 1:49 AM
>
>
> > Is there any way to get Oracle 8i (or 9i; we're planning to upgrade)
> > Enterprise Edition to authenticate against Active Directory, short of
> > buying Oracle Advanced Security?
> >
> > My goal is to remove the need to maintain a separate database of
> > passwords. Ideally, we could do also do away with having the database
> > users enter passwords by handling Kerberos tickets, but I'd be happy
> > with them just entering the same password they enter to login to
> > Windows. And if we still need to manually add/remove users, that's
> > okay, too. (We'd probably want to, anyway; not everyone in the domain
> > should have an Oracle account.)
> >
> > In my fantasy world, authentication would all be done through a
> > function that I could modify. Then I could just create my users with
> > something
> like:
> >
> > create user "DOMAIN\USER" identified externally;
> >
> > as you would for OS$ authentication and then do something vaguely
> > like:
> >
> > create or replace function system.my_authenticate_user (
> > p_username in varchar,
> > p_password in varchar
> > ) return boolean as
> >
> > v_usertype varchar2(30);
> > v_session dbms_ldap.session;
> >
> > begin
> > select authtype
> > from dba_users
> > where username = p_username;
> >
> > if authtype = 'EXTERNAL' then
> > v_session := dbms_ldap.init('my-domain-controller', 389);
> > return dbms_ldap.simple_bind_s(v_session, p_username,
> > p_password);
> > end if;
> >
> > return standard_authenticate_user(p_username, p_password);
> >
> > exception
> > when no_data_found
> > return false;
> > end;
> > /
> > show errors
> >
> > but I'm not aware of any such hook. There are logon triggers, but just
> > of the after type, not "instead of". ("create trigger ... after logon
> > on database" or something, for audit trails, I think.)
> >
> > Does anything like this exist? Or is there another way, however
> convoluted?
> >
> > Thanks,
> > Scott Lamb
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: Scott Lamb
> > INET: slamb_at_slamb.org
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting services
> > ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L (or the
> > name of mailing list you want to be removed from). You may also send
> > the HELP command for other information (like subscribing).
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Yechiel Adar
> INET: adar76_at_inter.net.il
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the
> message BODY, include a line containing: UNSUB ORACLE-L (or the name of
> mailing list you want to be removed from). You may also send the HELP
> command for other information (like subscribing).
>
>
>
>
> Note:
> This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Wang Trading LLC and any of its subsidiaries each reserve the
right to monitor all e-mail communications through its networks.
> Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorized to
state them to be the views of any such entity.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Mladen Gogala
> INET: mladen_at_wangtrading.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Yechiel Adar INET: adar76_at_inter.net.il Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Aug 19 2003 - 10:14:26 CDT
 |
 |