A brief talk on Oracle external identity authentication

operating system authentication on a server

1. Configure Sqlnet.ora Files

Parameter names.directory_path= (TNSNAMES, Onames, HOSTNAME) indicates how the host string used to resolve client connections
TNSNames said the use of Tnsnames.ora file to resolve;
Onames indicates that Oracle uses its own name server (Oracle name server) to resolve, and Oracle now recommends using Lightweight Directory Access Protocol LDAP to replace Onames;
Hostname means to use host file, Dns,nis, etc. to resolve;

The parameter sqlnet.authentication_services= (none,nts) indicates which authentication method is used for Oracle database authentication when the user connects to the Oracle server, and NTS represents the operating system authentication, which can be combined in two ways.

2. Set up the corresponding operating system group and users to join the group

Domain Users and local users in the ORA_DBA group can log on to Oracle without the need for an Oracle username and password and users of that group have SYSDBA permissions after they log on to the database (for multiple instances, you can create a group ora_sid_dba like this, where the SID refers to the instance name). : The members in the Ora_oper group have sysoper role permissions.

3. Login mode

C:\>sqlplus "/As SYSDBA"
Or C:\>sqlplus Nolog, then Sql>connect/as sysdba

The impact of Remote_login_passwordfile on authentication in 4.init.ora

Three optional values:

NONE: Default value indicating that the Oracle system does not use a password file, and that privileged users who authenticate through the operating system have Sysora and Sysoper permissions Exclusive:
1. Indicates that only one instance of the database can use the password file
2. Allow Sysora and Sysoper permissions to be assigned to users other than Sys
SHARED:
1. Indicates that you can have multiple database instances to use a password file
2. Sysora and Sysoper permissions are not allowed to be assigned to users other than Sys
Therefore, if you want to log on as an operating system, Remote_login_passwordfile should be set to none

5. When the logged-on user is not a member of the ORA_DBA and ora_oper groups, the logon database needs to create the same user name as the current operating system user in Oracle, and if the current user is a domain user, the name is: Domainname\yourname, if it is a local computer user, The name is: Computername\yourname

To create a method:

Create "domainname\yourname" identified externally;
Grant connect to "Domainname\yourname";

Windows operating system, modify registry HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOME0 add Auth_prefix_domain below, the value is set to False, the domain name can be ignored when creating ORACLE users

In this way, a parameter in Init.ora will affect how the database matches a Windows user and an Oracle user Os_authent_prefix = ""
The default is null, oracle8i previously, without this parameter, and using ops$ as the username prefix. (Maximum Oracle username length is 30 characters)

second, the remote client uses the operating system authentication

First you need to set the following parameters in the Init.ora file: remote_os_authent=true

Oracle does not recommend operating system validation on remote clients because client authentication is not validated by the operating system user on the server, but rather by using the client's own fear of the operating system for Windows authentication, Clients can spoof Oracle's operating system validation by creating a corresponding Windows machine name and user name.
For example, the following Oracle user was created

Create "Zl\zyk" identified externally;
Grant connect to "Zl\zyk";

If you have a machine named Zl, create a user named Zyk, and use this login to connect to an Oracle server (using \ @OracleSTR when connected), without the user name and password The reason for this problem is that Oracle uses the client operating system for authentication. It cannot distinguish whether Zl is a domain name or a machine name.

Windows authentication on an Oracle database server is easy to implement and is convenient for logged-in users to access the database However, this validation model is not suitable for remote clients because of the high security risk.

iii. Oracle 9i enhancements to operating system identity authentication support

Oracle 9i can be integrated with the Active Directory through Oracle Enterprise Security Manager Admin user Rights Enterprise user authentication as a new external centralized authentication mode (also known as global User Authentication,oracle 9i Previous external user authentication only used client operating system local authentication)

Oracle9i runs in a Win2000 and above domain, registry hkey_local_machine\software\oracle\homeid, parameter Osauth_x509_name set to True (default is False, If the parameter does not exist, the new is REG_EXPAND_SZ type)

Note: Windows NT 4.0 domain does not support this approach