Arup, Do you include info on setting 'OSAUTH_PREFIX_DOMAIN' in the registry?
If not set then cross-domain externally identified accounts must be created as OPS$domain\username, which is a bit of a pain. Security may require it though. Jared On Thursday 19 June 2003 15:34, Arup Nanda wrote: > Mladen, > > This is precisely the content I have gone in depth in my upcoming book > where this practice of OPS$ accounts have been discussed. > > The security hole in OPS$ accounts is a bit overrated. Chagnign username in > Windows XP alone does not allow logging in to the database directly if OPS$ > accounts are used. What you are referring to is setting the ORA_DBA group > in Windows. Here is an excerpt from the book: > > "If OPS$ accounts must be used, make sure that init.ora parameter > os_authent_prefix is set to OPS$ or some other value, not NULL. If it is > null, as shown by an empty string "", the security is severely threatened. > Any one can create a userid called SYSTEM in the OS and then logon without > a password as the Oracle user SYSTEM. If the os_authent_prefix is set to > OPS$, then the corresponding user id in Oracle will be OPS$SYSTEM, not > SYSTEM. they are different users." > > As you might notice, OPS$ accounts are somehow insecure, and I personally > eschew them; but let's face it, in some situations, like in the case AK > mentioned, the use is required. When the DBAs can do is to take some > precautions to ensure security. > > HTH. > > Arup > ----- Original Message ----- > From: Gogala, Mladen > To: Multiple recipients of list ORACLE-L > Sent: Thursday, June 19, 2003 4:19 PM > Subject: RE: oracle authentication from windows > > > That, of course, will render your database totally insecure and open to > anybody who can bring in a WinXP laptop, change the windoze username and > log in as he pleases. DBA that sets his production parameters the way Arup > described deserves to be publicly tortured by Bill O'Reilly in the "no spin > zone". > > Mladen Gogala > Oracle DBA > Phone:(203) 459-6855 > Email:[EMAIL PROTECTED] > > -----Original Message----- > From: Arup Nanda [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 3:46 PM > To: Multiple recipients of list ORACLE-L > Subject: Re: oracle authentication from windows > > > Sure. > > Just declare these in your init.ora > > os_authent_prefix=OPS$ > remote_os_authent=TRUE > > bounce the database, add a user called OPS$<the Windows username>, e.g. > OPS$AK if your Windows login id is AK as > > create user ops$ak identified externally > > From windows connect as "/@servicename", e.g. sqlplus /@service1 > > If it doesn't work, the OS user may be different. Use this query while > connected to the database from Windows cleint. > > SQL> select sys_context('USERENV','OS_USER') from dual; > > See what OS username comes up; use that instead. > > HTH. > > Arup Nanda > www.proligence.com > > > ----- Original Message ----- > From: AK > To: Multiple recipients of list ORACLE-L > Sent: Thursday, June 19, 2003 1:10 PM > Subject: oracle authentication from windows > > > We want our client users ( forms user ) to just enter windows > password and then automatically able to get in to oracle .Is there a way > oracle can authenticate from windows ( or active directory ) . enbadding > password in runform.exe not an option . > > thanks, > -ak -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
