| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows
Mladen,
This is precisely the content I have gone in depth
in my upcoming book where this practice of OPS$ accounts have been discussed.
The security hole in OPS$ accounts is a bit
overrated. Chagnign username in Windows XP alone does not allow logging in to
the database directly if OPS$ accounts are used. What you are referring to is
setting the ORA_DBA group in Windows. Here is an excerpt from the
book:
"If OPS$ accounts must be used, make sure that
init.ora parameter os_authent_prefix is set to OPS$ or some other value, not
NULL. If it is null, as shown by an empty string "", the security is severely
threatened. Any one can create a userid called SYSTEM in the OS and then logon
without a password as the Oracle user SYSTEM. If the os_authent_prefix is set to
OPS$, then the corresponding user id in Oracle will be OPS$SYSTEM, not SYSTEM.
they are different users."
As you might notice, OPS$ accounts are somehow
insecure, and I personally eschew them; but let's face it, in some situations,
like in the case AK mentioned, the use is required. When the DBAs can do is to
take some precautions to ensure security.
HTH.
Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 4:19
PM
Subject: RE: oracle authentication from
windows
<SPAN
class=484330519-19062003>That, of course, will render your database totally
insecure and open to anybody
who
can bring in a WinXP laptop, change the windoze username and log in as he
pleases.
DBA
that sets his production parameters the way Arup described deserves to be
<SPAN
class=484330519-19062003>publicly tortured by Bill O'Reilly in the "no spin
zone".
Mladen Gogala <FONT face=Arial
size=2>Oracle DBA Phone:(203)
459-6855 Email:[EMAIL PROTECTED]
<FONT face=Tahoma
size=2>-----Original Message-----From: Arup Nanda
[mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 3:46
PMTo: Multiple recipients of list ORACLE-LSubject: Re:
oracle authentication from windows
Sure.
Just declare these in your
init.ora
<FONT face=Arial
size=2>os_authent_prefix=OPS$remote_os_authent=TRUE
bounce the database, add a user called
OPS$<the Windows username>, e.g. OPS$AK if your Windows login id is AK
as
create user ops$ak identified
externally
From windows connect as "/@servicename",
e.g. sqlplus /@service1
If it doesn't work, the OS user may be
different. Use this query while connected to the database from Windows
cleint.
SQL> select sys_context('USERENV','OS_USER')
from dual;
See what OS username comes up; use that
instead.
HTH.
Arup Nanda
www.proligence.com
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list
ORACLE-L
Sent: Thursday, June 19, 2003 1:10
PM
Subject: oracle authentication from
windows
We want our client users ( forms user )
to just enter windows password and then automatically able to get in to
oracle .Is there a way oracle can authenticate from windows ( or active
directory ) . enbadding password in runform.exe not an option
.
thanks,
<FONT face=Arial
 |
 |