Sunday, January 14, 2018

Oracle User Management :#02

External OS User Authentication in Oracle



External Authentication requires the creation of user accounts that are maintained by Oracle. Passwords are administered by an external service such as the operating system or a network service.

This option is generally useful when a user logs on directly to the machine where the Oracle server is running.
A database password is not used for this type of login.
In order for the operating system to authenticate users, a DBA sets the init.ora
parameter OS_AUTHENT_PREFIX to some set value – the default value is OPS$ in order to provide for backward compatibility to earlier versions of Oracle
This prefix is used at the operating system level when the user's account username.
You can also use a NULL string (a set of empty double quotes: "" ) for the prefix so that the Oracle username exactly matches the Operating System user name. This eliminates the need for any prefix.

SQL> show parameter os_authent_prefix
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix                    string      ops$
SQL>

If the OS_AUTHENT_PREFIX parameter is Not NULL, then set the parameter with the following command if using spfile.

SQL> alter system set OS_AUTHENT_PREFIX='' scope=spfile;


Restart the service of the Database. 

The REMOTE_OS_AUTHENT parameter can be set to force acceptance of a client operating system user name from a nonsecure connection.
If the REMOTE_OS_AUTHENT parameter is FALSE (don’t allow OS authentication) set the parameter to TRUE
This is NOT a good security practice.
Setting REMOTE_OS_AUTHENT = FALSE creates a more secure configuration based on server based authentication of clients.
Changes in the parameter take effect the next time the instance starts and the database is mounted.

SQL> alter system set remote_os_authent=true scope=spfile;
System altered.


SQL> show parameter os_au
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix                    string      ops$
remote_os_authent                    boolean     TRUE
SQL>
SQL> create user ops$oracle  identified externally;
User created.
SQL>
SQL> grant create session to ops$oracle;
Grant succeeded.

[oracle@localhost admin]$ sqlplus /
SQL*Plus: Release 11.2.0.4.0 Production on Thu Jan 11 08:30:49 2018
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select user from dual;

USER
------------------------------
OPS$ORACLE

SQL>

No comments:

Post a Comment