|
AK,
The issue is not creating an id called OPS$ SYSTEM
on XP, but on the database. Say, you created a user called OPS$SYSTEM
as
create user ops$system identified
externally;
The XP user should be SYSTEM, not OPS$SYSTEM, to
log on to this account.
Now suppose, your os_authent_prefix is set to ""
(null), then the Oracle user SYSTEM, not OPS$SYSTEM is authenticated
externally. If someone creates a user in XP called SYSTEM, she can
call
The OS user is SYSTEM, os_authent_prefix is null,
so Oracle will let the user be logged on as oracle user SYSTEM!
Therefore, always have a not null value in
os_authent_prefix, e.g. OPS$.
If the XP user is OPS$SYSTEM, the oracle user
should be OPS$OPS$SYSTEM, not OPS$SYSTEM. I hope you see the
difference.
HTH.
Arup
----- Original Message -----
Sent: Friday, June 20, 2003 10:46
AM
Subject: Re: oracle authentication from
windows
Arup,
why someone can't create account like ops$system
on xp and get in . If they can create system then y not ops$system . Secondly
OS authentication means operating system is going to take care of auth. rite ?
. It's up to OS not allow the users to change their ids.
-ak
----- Original Message -----
Sent: Thursday, June 19, 2003 3:34
PM
Subject: Re: oracle authentication from
windows
Mladen,
This is precisely the content I have gone in
depth in my upcoming book where this practice of OPS$ accounts have been
discussed.
The security hole in OPS$ accounts is a bit
overrated. Chagnign username in Windows XP alone does not allow logging in
to the database directly if OPS$ accounts are used. What you are referring
to is setting the ORA_DBA group in Windows. Here is an excerpt from the
book:
"If OPS$ accounts must be used, make sure that
init.ora parameter os_authent_prefix is set to OPS$ or some other value, not
NULL. If it is null, as shown by an empty string "", the security is
severely threatened. Any one can create a userid called SYSTEM in the OS and
then logon without a password as the Oracle user SYSTEM. If the
os_authent_prefix is set to OPS$, then the corresponding user id in Oracle
will be OPS$SYSTEM, not SYSTEM. they are different users."
As you might notice, OPS$ accounts are somehow
insecure, and I personally eschew them; but let's face it, in some
situations, like in the case AK mentioned, the use is required. When the
DBAs can do is to take some precautions to ensure security.
HTH.
Arup
----- Original Message -----
Sent: Thursday, June 19, 2003 4:19
PM
Subject: RE: oracle authentication
from windows
That, of course, will render your database
totally insecure and open to anybody
who can bring in a WinXP laptop, change the
windoze username and log in as he pleases.
DBA that sets his production parameters the way
Arup described deserves to be
publicly tortured by Bill O'Reilly in the "no
spin zone".
Mladen Gogala
Oracle DBA
Phone:(203)
459-6855
Email:[EMAIL PROTECTED]
Sure.
Just declare these in your
init.ora
os_authent_prefix=OPS$
remote_os_authent=TRUE
bounce the database, add a user called
OPS$<the Windows username>, e.g. OPS$AK if your Windows login id
is AK as
create user ops$ak identified
externally
If it doesn't work, the OS user may be
different. Use this query while connected to the database from Windows
cleint.
SQL> select
sys_context('USERENV','OS_USER') from dual;
See what OS username comes up; use that
instead.
HTH.
Arup Nanda
www.proligence.com
----- Original Message -----
Sent: Thursday, June 19, 2003
1:10 PM
Subject: oracle authentication
from windows
We want our client users ( forms user
) to just enter windows password and then automatically able to
get in to oracle .Is there a way oracle can authenticate from windows
( or active directory ) . enbadding password in runform.exe not an
option .
thanks,
-ak
|
