Description of Oracle Database External Identity Authentication Research

Source: Internet
Author: User
Tags lightweight directory access protocol ldap

The following articles mainly introduce Oracle Database External Identity Authentication research. If you are interested in understanding the actual operations related to Oracle Database External Identity Authentication research, the following articles will provide you with relevant knowledge. I hope it will help you in this regard.

1. Operating System verification on the server

1. Configure the SQLNET. ORA File

The parameter NAMES. DIRECTORY_PATH = (TNSNAMES, ONAMES, HOSTNAME) indicates the method used to parse the host string used for client connection. TNSNAMES indicates that TNSNAMES is used. ORA file to parse; ONAMES indicates that Oracle uses its own Name Server Oracle Name Server) for parsing. Currently, Oracle recommends using the Lightweight Directory Access Protocol LDAP to replace ONAMES; HOSTNAME indicates that the host file is used, DNS, NIS, etc;

The SQLNET. AUTHENTICATION_SERVICES = (NONE, CNT) parameter indicates the authentication method used by the user to connect to the Oracle server. NONE indicates the identity authentication of the Oracle database, and NT indicates the identity authentication of the operating system. You can use either of the two methods.

2. Create an operating system group and add users to the group.

The domain users and local users in the ORA_DBA group can log on to Oracle without the Oracle user name and password. When users in the group log on to the database and have SYSDBA permissions on multiple instances, you can create a group like ORA_SID_DBA, where SID indicates the Instance name. Similarly, members in the ora_scheduler group have the permissions of the SYSOPER role.

3. logon Method

C:> sqlplus "/as sysdba" or C:> sqlplus nolog, and then SQL> connect/as sysdba

4. The influence of Remote_Login_Passwordfile in init. ora on identity authentication.

Three Optional values:

NONE:

The default value indicates that the Oracle system does not use password files. Privileged users who perform identity authentication through the operating system have SYSORA and SYSOPER permissions.

EXCLUSIVE:

1). indicates that only one database instance can use a password file;

2) grant SYSORA and SYSOPER permissions to other users than SYS.

SHARED:

1). indicates that multiple database instances can use password files;

2) The SYSORA and SYSOPER permissions cannot be assigned to users other than SYS.

Therefore, to log on as an operating system, set Remote_Login_Passwordfile to NONE.

5. when the logged-on user is not a member of the ORA_DBA group or the ora_region group, you must create the same user name for the current operating system user in Oracle. If the current user is a domain user, the user name is domainnameyourname, for a local computer user, the name is computernameyourname.

Creation method:

 
 
  1. create "domainnameyourname" identified externally;   
  2. grant connect to "domainnameyourname"; 

In Windows, add AUTH_PREFIX_DOMAIN under the HKEY_LOCAL_MACHINESOFTWAREORACLEHOME0 registry with the value set to FALSE. You can ignore the domain name when creating an Oracle user. In this way, init. A parameter in ora affects how the Oracle database matches a windows user and an Oracle user OS _authent_prefix = "". The default value is null. this parameter is unavailable before Oracle8i, and OPS $ is used as the username prefix. (the maximum length of the Oracle user name is 30 characters ).

Ii. Operating System verification for remote clients

First, set the following parameter in the init. ora file: REMOTE_ OS _AUTHENT = TRUE. Oracle does not recommend operating system verification on a remote client, because the client is not verified by the operating system user on the server, but is used for windows verification by the client itself for fear of operating systems, in this way, the client can establish a corresponding windows machine name and user name to cheat the Oracle operating system verification.

For example, the following Oracle user is created:

 
 
  1. create "domainnameyourname" identified externally;   
  2. grant connect to "domainnameyourname"; 

If there is a machine named ZL that creates a user named zyk and uses @ OracleSTR to log on to the Oracle server for connection), the cause of this problem is that no user name or password is required, oracle uses the client operating system for verification. It cannot distinguish whether zl is a domain name or a machine name.

Windows authentication on the Oracle database server is easy to implement and makes it easy for logged-on users to access the Oracle database. However, this authentication model is not suitable for remote clients because of the high security risk.

Iii. Enhancement of Operating System Identity Authentication supported by Oracle 9i

Oracle 9i can be integrated with the Active Directory. Using Oracle Enterprise Security Manager to manage user permissions Enterprise user authentication is a new external centralized authentication mode called global user authentication, oracle 9i External user authentication only adopts local client operating system authentication ).

Oracle9i runs in a win2000 or above domain. The Registry HKEY_LOCAL_MACHINESOFTWAREORACLEHOMEID. The parameter OSAUTH_X509_NAME is set to true (the default value is false. If this parameter does not exist, it is added to the REG_EXPAND_SZ type ). Note: Windows NT 4.0 domain does not support this method.

Article by: http://database.csdn.net/page/034915c4-1873-489c-b0df-e812ad2ec8ab

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.