Re: Database access using LDAP Authentication

  • From: "Mark Brinsmead" <pythianbrinsmead@xxxxxxxxx>
  • To: twilson@xxxxxxxxxxxx
  • Date: Wed, 5 Jul 2006 20:16:38 -0600

For Oracle 9.2, I believe the product you are looking for is "Advanced
Security Option",
although I believe it was known as "Advanced Networking Option" prior to

It's not free, though.  It requires Enterprise Edition, and costs something
like USD
$20,000/CPU above and beyond that.

Of course, with 40 database and maybe 100 or 200 CPUs, you might find that
is some room for negotiation.  ;-)

'Course I could be mistaken...

On 7/5/06, oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> wrote:


Jr. DBA here looking for a little help on a project she's been given.
Any thoughts & ideas you have are greatly appreciated.

After Collaborate06, I suggested to our managers that we use Profiles on
our 40+ databases for added security.  After some hemming & hawing,
security group agreed, and we began to put Profile Plans into motion.
At this time the department realized that if they had a direct Database
account, they would have to change their password, which meant in some
circumstances, on all 40 databases.  This caused some grumbling, but it
wasn't too bad.

At this time the head of Systems said 1 word to the head DBA that would
simultaneously make all the profile research instantly trash and my life
hell:  LDAP.

Yes, he wants us to have oracle use LDAP for it's user/schema

LDAP v3 (not Oracle's LDAP)
All 40+ databases & 2 LDAPs are on different Unix boxes.

To make sure I am not being difficult, here's the prime example:
1) I open SQLPLUS and type in my Oracle Userid & password (scott/tiger).

2) Oracle then somehow takes the userid & password to a centralized
3) LDAP replies with either: "Yep, that's right" or "No, reject
4) Oracle then allows access (depending on LDAP's response), and uses
it's the users role/sys/tab privs to say what that user has access to.

I have seen where you can authenticate through an htmldb app using the
DBMS_LDAP package, but we're not going through a 3rd party app, nor do I
think a login server is quite what we're looking for here, but maybe
this is how it has to be done?

I saw the wonderful "LDAP_AUTHENTICATE procedure for Active Directory"
from this list, and tried it as a great jumping-off point, but can't
figure out quite how to use it in relation to how Oracle logs in its

Metalink seems to take you into stray paths, and the SSO books around
have to do with 10g, if it's even SSO I'm quite looking for.  And Google
seems to think I'm insane.

1) Is it even possible to use LDAP to authenticate Oracle users directly
from Oracle?  How would I go about doing this?

2) If this is possible, via some sort of login trigger or something,
then is it possible to exclude specific users?  We obviously don't want
SYS or OP$ORACLE going through LDAP due to LDAP Failure making the
database useless.

Thank you in advance for all of your help, and thanks for all the ideas
that this list has given me!

-- Mark Brinsmead
  Staff DBA,
  The Pythian Group

Other related posts: