| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows
AK,
The issue is not creating an id called OPS$ SYSTEM
on XP, but on the database. Say, you created a user called OPS$SYSTEM
as
create user ops$system identified
externally;
The XP user should be SYSTEM, not OPS$SYSTEM, to
log on to this account.
Now suppose, your os_authent_prefix is set to ""
(null), then the Oracle user SYSTEM, not OPS$SYSTEM is authenticated
externally. If someone creates a user in XP called SYSTEM, she can
call
sqlplus /@service1
The OS user is SYSTEM, os_authent_prefix is null,
so Oracle will let the user be logged on as oracle user SYSTEM!
Therefore, always have a not null value in
os_authent_prefix, e.g. OPS$.
If the XP user is OPS$SYSTEM, the oracle user
should be OPS$OPS$SYSTEM, not OPS$SYSTEM. I hope you see the
difference.
HTH.
Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
Arup,
why someone can't create account like ops$system
on xp and get in . If they can create system then y not ops$system . Secondly
OS authentication means operating system is going to take care of auth. rite ?
. It's up to OS not allow the users to change their ids.
-ak
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 3:34
PM
Subject: Re: oracle authentication from
windows
Mladen,
This is precisely the content I have gone in
depth in my upcoming book where this practice of OPS$ accounts have been
discussed.
The security hole in OPS$ accounts is a bit
overrated. Chagnign username in Windows XP alone does not allow logging in
to the database directly if OPS$ accounts are used. What you are referring
to is setting the ORA_DBA group in Windows. Here is an excerpt from the
book:
"If OPS$ accounts must be used, make sure that
init.ora parameter os_authent_prefix is set to OPS$ or some other value, not
NULL. If it is null, as shown by an empty string "", the security is
severely threatened. Any one can create a userid called SYSTEM in the OS and
then logon without a password as the Oracle user SYSTEM. If the
os_authent_prefix is set to OPS$, then the corresponding user id in Oracle
will be OPS$SYSTEM, not SYSTEM. they are different users."
As you might notice, OPS$ accounts are somehow
insecure, and I personally eschew them; but let's face it, in some
situations, like in the case AK mentioned, the use is required. When the
DBAs can do is to take some precautions to ensure security.
HTH.
Arup
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<SPAN
class=484330519-19062003>That, of course, will render your database
totally insecure and open to anybody
<SPAN
class=484330519-19062003>who can bring in a WinXP laptop, change the
windoze username and log in as he pleases.
<SPAN
class=484330519-19062003>DBA that sets his production parameters the way
Arup described deserves to be
<SPAN
class=484330519-19062003>publicly tortured by Bill O'Reilly in the "no
spin zone".
Mladen Gogala <FONT face=Arial
size=2>Oracle DBA Phone:(203)
459-6855 Email:[EMAIL PROTECTED]
<FONT face=Tahoma
size=2>-----Original Message-----From: Arup Nanda
[mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 3:46
PMTo: Multiple recipients of list ORACLE-LSubject:
Re: oracle authentication from windows
Sure.
Just declare these in your
init.ora
<FONT face=Arial
size=2>os_authent_prefix=OPS$remote_os_authent=TRUE
bounce the database, add a user called
OPS$<the Windows username>, e.g. OPS$AK if your Windows login id
is AK as
create user ops$ak identified
externally
From windows connect as
"/@servicename", e.g. sqlplus /@service1
If it doesn't work, the OS user may be
different. Use this query while connected to the database from Windows
cleint.
SQL> select
sys_context('USERENV','OS_USER') from dual;
See what OS username comes up; use that
instead.
HTH.
Arup Nanda
www.proligence.com
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
----- Original Message -----
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From:
<A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">AK
To: <A [EMAIL PROTECTED]
href="mailto:[EMAIL PROTECTED]">Multiple recipients of list
ORACLE-L
Sent: Thursday, June 19, 2003
1:10 PM
Subject: oracle authentication
from windows
We want our client users ( forms user
) to just enter windows password and then automatically able to
get in to oracle .Is there a way oracle can authenticate from windows
( or active directory ) . enbadding password in runform.exe not an
option .
thanks,
<FONT face=Arial
 |
 |