----- Original Message -----
Sent: Friday, June 20, 2003 8:54 AM
Subject: Re: oracle authentication from
windows
AK,
The issue is not creating an id called OPS$
SYSTEM on XP, but on the database. Say, you created a user called OPS$SYSTEM
as
create user ops$system identified
externally;
The XP user should be SYSTEM, not OPS$SYSTEM, to
log on to this account.
Now suppose, your os_authent_prefix is set to ""
(null), then the Oracle user SYSTEM, not OPS$SYSTEM is authenticated
externally. If someone creates a user in XP called SYSTEM, she can
call
The OS user is SYSTEM, os_authent_prefix is null,
so Oracle will let the user be logged on as oracle user SYSTEM!
Therefore, always have a not null value in
os_authent_prefix, e.g. OPS$.
If the XP user is OPS$SYSTEM, the oracle user
should be OPS$OPS$SYSTEM, not OPS$SYSTEM. I hope you see the
difference.
HTH.
Arup
----- Original Message -----
Sent: Friday, June 20, 2003 10:46
AM
Subject: Re: oracle authentication from
windows
Arup,
why someone can't create account like
ops$system on xp and get in . If they can create system then y not
ops$system . Secondly OS authentication means operating system is going to
take care of auth. rite ? . It's up to OS not allow the users to change
their ids.
-ak
----- Original Message -----
Sent: Thursday, June 19, 2003 3:34
PM
Subject: Re: oracle authentication
from windows
Mladen,
This is precisely the content I have gone in
depth in my upcoming book where this practice of OPS$ accounts have been
discussed.
The security hole in OPS$ accounts is a bit
overrated. Chagnign username in Windows XP alone does not allow logging in
to the database directly if OPS$ accounts are used. What you are referring
to is setting the ORA_DBA group in Windows. Here is an excerpt from the
book:
"If OPS$ accounts must be used, make sure
that init.ora parameter os_authent_prefix is set to OPS$ or some other
value, not NULL. If it is null, as shown by an empty string "", the
security is severely threatened. Any one can create a userid called SYSTEM
in the OS and then logon without a password as the Oracle user SYSTEM. If
the os_authent_prefix is set to OPS$, then the corresponding user id in
Oracle will be OPS$SYSTEM, not SYSTEM. they are different
users."
As you might notice, OPS$ accounts are
somehow insecure, and I personally eschew them; but let's face it, in some
situations, like in the case AK mentioned, the use is required. When the
DBAs can do is to take some precautions to ensure security.
HTH.
Arup
----- Original Message -----
Sent: Thursday, June 19, 2003 4:19
PM
Subject: RE: oracle authentication
from windows
That, of course, will render your database
totally insecure and open to anybody
who can bring in a WinXP laptop, change the
windoze username and log in as he pleases.
DBA that sets his production parameters the way
Arup described deserves to be
publicly tortured by Bill O'Reilly in the "no
spin zone".
Mladen Gogala
Oracle DBA
Phone:(203)
459-6855
Email:[EMAIL PROTECTED]
Sure.
Just declare these in your
init.ora
os_authent_prefix=OPS$
remote_os_authent=TRUE
bounce the database, add a user called
OPS$<the Windows username>, e.g. OPS$AK if your Windows login id
is AK as
create user ops$ak identified
externally
If it doesn't work, the OS user may be
different. Use this query while connected to the database from Windows
cleint.
SQL> select
sys_context('USERENV','OS_USER') from dual;
See what OS username comes up; use that
instead.
HTH.
Arup Nanda
www.proligence.com
----- Original Message -----
Sent: Thursday, June 19, 2003
1:10 PM
Subject: oracle authentication
from windows
We want our client users ( forms user
) to just enter windows password and then automatically able
to get in to oracle .Is there a way oracle can authenticate from
windows ( or active directory ) . enbadding password in runform.exe
not an option .
thanks,
-ak
