Abstract Oracle database external authentication deployment and troubleshooting on Unix, Linux and Windows platforms. Keywords OS External Authentication Prefix OPS$ OS_AUTHENT_PREFIX 1) OS_AUTHENT_PREFIX is an important initialization parameter to configure Oracle External User environment. 2) External User is a kind of Oracle External Authentication solution. 3) With Oracle External User, the user authentication process is accomplished by operating system automatically. 4) Authorized OS user can access Oracle database directly without providing username and password other than logon with prompting these information. OS_AUTHENT_PREFIX Parameter type String Syntax OS_AUTHENT_PREFIX = authentication_prefix Default value OPS$ Modifiable No OS_AUTHENT_PREFIX specifies a prefix that Oracle uses to authenticate users attempting to connect to the server. Oracle concatenates the value of this parameter to the beginning of the user's operating system account name and password. When a connection request is attempted, Oracle compares the prefixed username with Oracle usernames in the database. The default value of this parameter is OPS$ for backward compatibility with previous versions. However, you might prefer to set the prefix value to "" (a null string), thereby eliminating the addition of any prefix to operating system account names Note: The text of the OS_AUTHENT_PREFIX parameter is case sensitive on some operating systems. See Also: l Your operating system-specific Oracle documentation for the default value Create Oracle database user with OS authentication solution. 1) OS Environment C:\Documents and Settings\ZYY> sqlplus "/as sysdba" SQL*Plus: Release 10.2.0.1.0 - Production on 星期四 6月 11 17:02:49 2009 Copyright (c) 1982, 2005, Oracle. All rights reserved. 连接到: Oracle Database 10g Express Edition Release 10.2.0.1.0 – Production SQL> SELECT OSUSER, USERNAME, PROGRAM FROM V$SESSION; OSUSER USERNAME PROGRAM -------------------- -------------------- -------------------- SYSTEM ORACLE.EXE (q001) SYSTEM ORACLE.EXE (QMNC) SYSTEM ORACLE.EXE (q000) YYBB\ZYY YYBB\ZYY sqlplus.exe SYSTEM ORACLE.EXE (MMNL) SYSTEM ORACLE.EXE (MMON) SYSTEM ORACLE.EXE (CJQ0) SYSTEM ORACLE.EXE (RECO) SYSTEM ORACLE.EXE (SMON) SYSTEM ORACLE.EXE (CKPT) SYSTEM ORACLE.EXE (LGWR) SYSTEM ORACLE.EXE (DBW0) SYSTEM ORACLE.EXE (MMAN) SYSTEM ORACLE.EXE (PSP0) SYSTEM ORACLE.EXE (PMON) Note: n This practice is intended to be taken on Microsoft Windows platform. n “YYBB” is the Computer Name on which runs the Windows OS. n “ZYY” is the User Name which be used to logon to Windows OS. 2) Database Environment SQL> SHOW PARAMETER OS_AUTHENT NAME TYPE VALUE ------------------------------------ ---------------------- -------------- os_authent_prefix string remote_os_authent boolean FALSE Note: n The value of OS_AUTHENT_PREFIX parameter is set to “” (a null string). 1) Create User in Oracle Database SQL> CREATE USER "YYBB\ZYY" IDENTIFIED EXTERNALLY; Note: n In the above demo case, the value of OS_AUTHENT_PREFIX parameter is set to “” (a null string), the corresponding username in Oracle database should be YYBB\ZYY. n If the value of OS_AUTHENT_PREFIX parameter is set to “OPS$”, the corresponding username in Oracle database should be OPS$YYBB\ZYY. n Do NOT forget the Double Quotation Marks(“”) embrace the username YYBB\ZYY, otherwise, you will get an ORA-00911 warning against the special character \. n Be aware of the keyword “EXTERNALLY”. n Do NOT be reckless with “IDENTIFIED” which should NOT be followed by “BY”. 2) Grant Privileges to Oracle User SQL> GRANT RESOURCE, CONNECT TO "YYBB\ZYY"; Note: n Grant appropriate and Minimum privileges to this Oracle user according to your system security acquirement. n Oracle user name might be Case Sensitive on some platforms. 1) Logon Oracle Database with External User C:\Documents and Settings\ZYY>sqlplus / SQL*Plus: Release 10.2.0.1.0 - Production on 星期四 6月 11 17:26:51 2009 Copyright (c) 1982, 2005, Oracle. All rights reserved. 连接到: Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production SQL> Note: n You do NOT need to provide username and password to logon to Oracle database through sqlplus. 2) Check the Current Logon User SQL> SHOW USER USER 为 "YYBB\ZYY" SQL> SELECT USERNAME FROM DBA_USERS; USERNAME ------------------------------------------------------------ YYBB\ZYY SYS SYSTEM MDSYS OUTLN XDB Note: n Current logon user is “YYBB\ZYY”. n You can now access Oracle database via your OS user account directly. The OS authentication solution of Oracle database can be applied in a mixed variety of application scenarios according to different system requirements: 1) Centralized User Account Security Management 2) Simplified Database Account Management The following parameters should be set for Oracle database to implement external authentication solution: 1) SQLNET.AUTHENTICATION_SERVICES 2) REMOTE_OS_AUTHENT 3) OSAUTH_PREFIX_DOMAIN (For Windows Registry, default value is FALSE. If this parameter is set to TRUE, Windows Host Name should be added as a prefix to Windows User Name, which means Oracle User Name is “Windows_Host_Name\ Windows_User_Name”. Otherwise, the Oracle User Name’s naming convention is similar to Unix or Linux as usual.) 1) Oracle Database Advanced Security Administrator's Guide 10g Release 2 (10.2)1. Overview
2. Official Reference
3. Best Practice
4. Application Scenarios
5. Related Terms
6. Reference
Subscribe to:
Post Comments (Atom)
Posts
0 评论:
Post a Comment