Re: Auth via Active Directory
I am in the middle of implementing Oracle Advance Security. Finished the
initial testing and on the way to implement a test case.
On the way I found out that you need Oracle Advance Security for this.
There is a problem that you need to address: How you synchronize the
passwords when user change his password?
Say David get to work in the morning and his password expired and he change
it. Now a DBA must change the password in OID to allow him to logon with the
new password. That's means that the DBA know al the passwords of all the
users. BIG security breach.
Also a lot of work for the DBA or the security administrator.
We use Novell now and there is a product that do the work.
It will send to OID the new password and also add or delete users as changes
are applied in Novell.
You still have to give permissions, via global rules, to the users so that
adding a user does NOT let him access Oracle.
Yechiel Adar
Mehish
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:49 AM
Is there any way to get Oracle 8i (or 9i; we're planning to upgrade)
Enterprise Edition to authenticate against Active Directory, short of
buying Oracle Advanced Security?
My goal is to remove the need to maintain a separate database of
passwords. Ideally, we could do also do away with having the database
users enter passwords by handling Kerberos tickets, but I'd be happy
with them just entering the same password they enter to login to
Windows. And if we still need to manually add/remove users, that's okay,
too. (We'd probably want to, anyway; not everyone in the domain should
have an Oracle account.)
In my fantasy world, authentication would all be done through a function
that I could modify. Then I could just create my users with something
like:
create user DOMAIN\USER identified externally;
as you would for OS$ authentication and then do something vaguely like:
create or replace function system.my_authenticate_user (
p_username in varchar,
p_password in varchar
) return boolean as
v_usertype varchar2(30);
v_session dbms_ldap.session;
begin
selectauthtype
from dba_users
where username = p_username;
if authtype = 'EXTERNAL' then
v_session := dbms_ldap.init('my-domain-controller', 389);
return dbms_ldap.simple_bind_s(v_session, p_username,
p_password);
end if;
return standard_authenticate_user(p_username, p_password);
exception
when no_data_found
return false;
end;
/
show errors
but I'm not aware of any such hook. There are logon triggers, but just
of the after type, not instead of. (create trigger ... after logon on
database or something, for audit trails, I think.)
Does anything like this exist? Or is there another way, however
convoluted?
Thanks,
Scott Lamb
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Scott Lamb
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Yechiel Adar
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: Auth via Active Directory
You should use identified globally when creating users. That will consult
the authentication services
and will change password in Kerberos or Novell directly.
--
Mladen Gogala
Oracle DBA
-Original Message-
Yechiel Adar
Sent: Tuesday, August 19, 2003 5:59 AM
To: Multiple recipients of list ORACLE-L
I am in the middle of implementing Oracle Advance Security. Finished the
initial testing and on the way to implement a test case. On the way I found
out that you need Oracle Advance Security for this.
There is a problem that you need to address: How you synchronize the
passwords when user change his password? Say David get to work in the
morning and his password expired and he change it. Now a DBA must change the
password in OID to allow him to logon with the new password. That's means
that the DBA know al the passwords of all the users. BIG security breach.
Also a lot of work for the DBA or the security administrator.
We use Novell now and there is a product that do the work.
It will send to OID the new password and also add or delete users as changes
are applied in Novell.
You still have to give permissions, via global rules, to the users so that
adding a user does NOT let him access Oracle.
Yechiel Adar
Mehish
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:49 AM
Is there any way to get Oracle 8i (or 9i; we're planning to upgrade)
Enterprise Edition to authenticate against Active Directory, short of
buying Oracle Advanced Security?
My goal is to remove the need to maintain a separate database of
passwords. Ideally, we could do also do away with having the database
users enter passwords by handling Kerberos tickets, but I'd be happy
with them just entering the same password they enter to login to
Windows. And if we still need to manually add/remove users, that's
okay, too. (We'd probably want to, anyway; not everyone in the domain
should have an Oracle account.)
In my fantasy world, authentication would all be done through a
function that I could modify. Then I could just create my users with
something
like:
create user DOMAIN\USER identified externally;
as you would for OS$ authentication and then do something vaguely
like:
create or replace function system.my_authenticate_user (
p_username in varchar,
p_password in varchar
) return boolean as
v_usertype varchar2(30);
v_session dbms_ldap.session;
begin
selectauthtype
from dba_users
where username = p_username;
if authtype = 'EXTERNAL' then
v_session := dbms_ldap.init('my-domain-controller', 389);
return dbms_ldap.simple_bind_s(v_session, p_username,
p_password);
end if;
return standard_authenticate_user(p_username, p_password);
exception
when no_data_found
return false;
end;
/
show errors
but I'm not aware of any such hook. There are logon triggers, but just
of the after type, not instead of. (create trigger ... after logon
on database or something, for audit trails, I think.)
Does anything like this exist? Or is there another way, however
convoluted?
Thanks,
Scott Lamb
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Scott Lamb
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L (or the
name of mailing list you want to be removed from). You may also send
the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Yechiel Adar
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from). You may also send the HELP
command for other information (like subscribing).
Note:
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege is
waived or lost by any mistransmission. If you receive this message in error, please
immediately delete it and all copies
Re: Auth via Active Directory
It is more complex then this.
AFAIK, this will work with another LDAP, like AD.
We are working with windows domains, so it will not work.
Yechiel Adar
Mehish
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 4:14 PM
You should use identified globally when creating users. That will
consult
the authentication services
and will change password in Kerberos or Novell directly.
--
Mladen Gogala
Oracle DBA
-Original Message-
Yechiel Adar
Sent: Tuesday, August 19, 2003 5:59 AM
To: Multiple recipients of list ORACLE-L
I am in the middle of implementing Oracle Advance Security. Finished the
initial testing and on the way to implement a test case. On the way I
found
out that you need Oracle Advance Security for this.
There is a problem that you need to address: How you synchronize the
passwords when user change his password? Say David get to work in the
morning and his password expired and he change it. Now a DBA must change
the
password in OID to allow him to logon with the new password. That's means
that the DBA know al the passwords of all the users. BIG security breach.
Also a lot of work for the DBA or the security administrator.
We use Novell now and there is a product that do the work.
It will send to OID the new password and also add or delete users as
changes
are applied in Novell.
You still have to give permissions, via global rules, to the users so that
adding a user does NOT let him access Oracle.
Yechiel Adar
Mehish
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:49 AM
Is there any way to get Oracle 8i (or 9i; we're planning to upgrade)
Enterprise Edition to authenticate against Active Directory, short of
buying Oracle Advanced Security?
My goal is to remove the need to maintain a separate database of
passwords. Ideally, we could do also do away with having the database
users enter passwords by handling Kerberos tickets, but I'd be happy
with them just entering the same password they enter to login to
Windows. And if we still need to manually add/remove users, that's
okay, too. (We'd probably want to, anyway; not everyone in the domain
should have an Oracle account.)
In my fantasy world, authentication would all be done through a
function that I could modify. Then I could just create my users with
something
like:
create user DOMAIN\USER identified externally;
as you would for OS$ authentication and then do something vaguely
like:
create or replace function system.my_authenticate_user (
p_username in varchar,
p_password in varchar
) return boolean as
v_usertype varchar2(30);
v_session dbms_ldap.session;
begin
selectauthtype
from dba_users
where username = p_username;
if authtype = 'EXTERNAL' then
v_session := dbms_ldap.init('my-domain-controller', 389);
return dbms_ldap.simple_bind_s(v_session, p_username,
p_password);
end if;
return standard_authenticate_user(p_username, p_password);
exception
when no_data_found
return false;
end;
/
show errors
but I'm not aware of any such hook. There are logon triggers, but just
of the after type, not instead of. (create trigger ... after logon
on database or something, for audit trails, I think.)
Does anything like this exist? Or is there another way, however
convoluted?
Thanks,
Scott Lamb
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Scott Lamb
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L (or the
name of mailing list you want to be removed from). You may also send
the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Yechiel Adar
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be
RE: Auth via Active Directory
Scott Lamb [mailto:[EMAIL PROTECTED] on Friday, August 15, 2003 6:49 PM said; Is there any way to get Oracle 8i (or 9i; we're planning to upgrade) Enterprise Edition to authenticate against Active Directory, short of buying Oracle Advanced Security? What we're planning on doing (note, planning is subject to budget and friction) is build a SunOne LDAP server and bounce the Oracle OID against _that_. LDAP because we have a small horde of apps that speak LDAP but for various reasons don't like Active Directory. ~brian -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Brian Dunbar INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
