RE : RE: Database access using LDAP Authentication

• From: Marius Raicu <mariu200@xxxxxxxxx>
• To: Rich.Jesse@xxxxxx, oracle-l@xxxxxxxxxxxxx
• Date: Wed, 12 Jul 2006 16:45:39 +0200 (CEST)

Hi,
You can query an LDAP server from oracle stored procedures by example, using 
DBMS_LDAP. I haven't done it from logon triggers, hovewer, I assume it should 
be possible somehow...But I think this is the hardest method to authenticate 
oracle users.An if you have 40+ databases, why not LDAP-authenticate the access 
to the applications using these databases instead of creating a hard dependence 
between ldap and oracle databases.

Regards,


"Jesse, Rich" <Rich.Jesse@xxxxxx> a écrit :     Yep, as Mark mentioned, what 
you want to do isn't cheap in the  Oracle World.  Perhaps you could start here 
for a primer:

http://download-east.oracle.com/docs/cd/B10501_01/network.920/a96582/galsyste.htm#1017957

While  I haven't played with this aspect of LDAP in Oracle (currently 
implementing  network Naming in LDAP), I would think that you wouldn't 
necessarily need the  Wallets, Enterprise Login, and all the SSO stuff.  Just 
the expensive  licensing.  And, funny, but I don't see the Enterprise Edition 
as being  needed for LDAP naming, but I could be wrong.

Also, I believe the LDAP  naming is on a user-by-user basis.  In other words, 
you could setup the  SYSTEM account on each of your 40 DBs with your standard 
local passwords, but  have a "HR" account in each that uses LDAP 
authentication, or have some "HR"  accounts LDAP and some local.  No triggers 
are needed -- look up the  "CREATE USER" command, specifically the "IDENTIFIED 
GLOBALLY" clause.

In  a nutshell, you've got quite a task on your hands.  Have fun  learning!

Rich

 
-----Original Message-----
From:  oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
Sent:  Wednesday, July 05, 2006 12:48 PM
To: oracle-l
Subject: Database access  using LDAP Authentication

All:

Jr. DBA here looking for a little  help on a project she's been given.
Any thoughts & ideas you have are  greatly appreciated.

THE SITUATION: 
After Collaborate06, I  suggested to our managers that we use Profiles on
our 40+ databases for added  security.  After some hemming & hawing,
security group agreed, and  we began to put Profile Plans into motion.
At this time the department  realized that if they had a direct Database
account, they would have to  change their password, which meant in some
circumstances, on all 40  databases.  This caused some grumbling, but it
wasn't too bad.

At  this time the head of Systems said 1 word to the head DBA that  would
simultaneously make all the profile research instantly trash and my  life
hell:  LDAP.

Yes, he wants us to have oracle use LDAP for  it's user/schema
authentication.

SYSTEMS:
Oracle 9.2.0.6
LDAP v3  (not Oracle's LDAP)
All 40+ databases & 2 LDAPs are on different Unix  boxes.

EXAMPLE OF WANTED RESULTS:
To make sure I am not being  difficult, here's the prime example:
1) I open SQLPLUS and type in my Oracle  Userid & password (scott/tiger).

2) Oracle then somehow takes the  userid & password to a centralized
LDAP.
3) LDAP replies with either:  "Yep, that's right" or "No, reject
session". 
4) Oracle then allows  access (depending on LDAP's response), and uses
it's the users role/sys/tab  privs to say what that user has access to.

RESEARCH:
I have seen where  you can authenticate through an htmldb app using the
DBMS_LDAP package, but  we're not going through a 3rd party app, nor do I
think a login server is  quite what we're looking for here, but maybe
this is how it has to be  done? 

I saw the wonderful "LDAP_AUTHENTICATE procedure for Active  Directory"
from this list, and tried it as a great jumping-off point, but  can't
figure out quite how to use it in relation to how Oracle logs in  its
users.  

Metalink seems to take you into stray paths,  and the SSO books around
have to do with 10g, if it's even SSO I'm quite  looking for.  And Google
seems to think I'm  insane.

QUESTIONS:
1) Is it even possible to use LDAP to authenticate  Oracle users directly
from Oracle?  How would I go about doing  this? 

2) If this is possible, via some sort of login trigger or  something,
then is it possible to exclude specific users?  We obviously  don't want
SYS or OP$ORACLE going through LDAP due to LDAP Failure making  the
database useless.

Thank you in advance for all of your help, and  thanks for all the ideas
that this list has given me!
--
//www.freelists.org/webpage/oracle-l





Regards,
Marius
                
---------------------------------
 Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son 
interface révolutionnaire.

• References:
  • RE: Database access using LDAP Authentication
    • From: Jesse, Rich

Other related posts:

• » RE : RE: Database access using LDAP Authentication

1. Home
2. oracle-l
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---