Re: oracle authentication from windows

[Arup Nanda]

Mladen,   This is precisely the content I have gone in depth in my upcoming book where this practice of OPS$ accounts have been discussed.   The security hole in OPS$ accounts is a bit overrated. Chagnign username in Windows XP alone does not allow logging in to the database directly if OPS$ accounts are used. What you are referring to is setting the ORA_DBA group in Windows. Here is an excerpt from the book:   "If OPS$ accounts must be used, make sure that init.ora parameter os_authent_prefix is set to OPS$ or some other value, not NULL. If it is null, as shown by an empty string "", the security is severely threatened. Any one can create a userid called SYSTEM in the OS and then logon without a password as the Oracle user SYSTEM. If the os_authent_prefix is set to OPS$, then the corresponding user id in Oracle will be OPS$SYSTEM, not SYSTEM. they are different users."   As you might notice, OPS$ accounts are somehow insecure, and I personally eschew them; but let's face it, in some situations, like in the case AK mentioned, the use is required. When the DBAs can do is to take some precautions to ensure security.   HTH.   Arup ----- Original Message ----- From: Gogala, Mladen To: Multiple recipients of list ORACLE-L Sent: Thursday, June 19, 2003 4:19 PM Subject: RE: oracle authentication from windows That, of course, will render your database totally insecure and open to anybody who can bring in a WinXP laptop, change the windoze username and log in as he pleases. DBA that sets his production parameters the way Arup described deserves to be publicly tortured by Bill O'Reilly in the "no spin zone".   Mladen Gogala Oracle DBA Phone:(203) 459-6855 Email:[EMAIL PROTECTED] -----Original Message----- From: Arup Nanda [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 3:46 PM To: Multiple recipients of list ORACLE-L Subject: Re: oracle authentication from windows Sure.   Just declare these in your init.ora   os_authent_prefix=OPS$ remote_os_authent=TRUE   bounce the database, add a user called OPS$<the Windows username>, e.g. OPS$AK if your Windows login id is AK as   create user ops$ak identified externally   From windows connect as "/@servicename", e.g. sqlplus /@service1   If it doesn't work, the OS user may be different. Use this query while connected to the database from Windows cleint.   SQL> select sys_context('USERENV','OS_USER') from dual;   See what OS username comes up; use that instead.   HTH.   Arup Nanda www.proligence.com     ----- Original Message ----- From: AK To: Multiple recipients of list ORACLE-L Sent: Thursday, June 19, 2003 1:10 PM Subject: oracle authentication from windows We want our client users ( forms user )  to just enter windows password and then automatically able to get in to oracle .Is there a way oracle can authenticate from windows ( or active directory ) . enbadding password in runform.exe not an option .   thanks, -ak