RE: Replacing OPS$ accounts
- From: D'Hooge Freek <Freek.DHooge@xxxxxxxxx>
- To: "wblanchard@xxxxxxxxxxxxxxxxxxxx" <wblanchard@xxxxxxxxxxxxxxxxxxxx>, Stephane Faroult <sfaroult@xxxxxxxxxxxx>
- Date: Fri, 11 Jun 2010 20:24:08 +0200
I must say that I'm not in favor of such solution.
If you want to lock the OPS$, then just lock them.
Using the solution below or solution as revoking "create sessions" and such
will work, but can cause pain when migrating the database.
When you lock the account, it is clear to everyone that that user is not
allowed to log in.
just my 2 eurocent
regards,
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge@xxxxxxxxx
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer
________________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx [oracle-l-bounce@xxxxxxxxxxxxx] On Behalf
Of Blanchard, William [wblanchard@xxxxxxxxxxxxxxxxxxxx]
Sent: 11 June 2010 20:20
To: Stephane Faroult
Cc: ORACLE-L; oracledba@xxxxxxxxxxx
Subject: RE: Replacing OPS$ accounts
Hmmm. Interesting. I'll test this out and let you know.
WGB
-----Original Message-----
From: Stephane Faroult [mailto:sfaroult@xxxxxxxxxxxx]
Sent: Friday, June 11, 2010 12:40 PM
To: Blanchard, William
Cc: ORACLE-L; oracledba@xxxxxxxxxxx
Subject: Re: Replacing OPS$ accounts
William,
What about setting ops_authent_prefix to something different? It will
not lock the accounts, but in effect it's likely to look the same ...
If you set ops_authent_prefix to 'hagahaga' and a user connected (to the
OS) as joe tries
sqlplus /
Oracle will try to connect to hagahagajoe, which is unlikely to exist.
The only risk is if the user explicitly connects as ops$joe AND if the
account has an Oracle password (which sometimes happens, when people
need to remotely connect).
Hope that helps.
Stephane Faroult
RoughSea Ltd <http://www.roughsea.com>
Konagora <http://www.konagora.com>
RoughSea Channel on Youtube <http://www.youtube.com/user/roughsealtd>
Blanchard, William wrote:
>
> Greetings,
>
> We have a legacy app that is currently using OPS$ accounts to log the
> users into the database. Since this is a purchased application that
> is no longer supported by the company we purchased it from, changing
> the code isn’t possible. Has anyone found a way to get rid of these
> accounts? If not, is there a “best practice” for locking down the
> OPS$ accounts?
>
>
> Thank you,
>
> WGB
>
> -
>
> This email and any information, files, or materials transmitted with it
> are confidential and are solely for the use of the intended recipient.
> If you have received this email in error, please delete it and notify
> the sender.
>
>
-
This email and any information, files, or materials transmitted with it
are confidential and are solely for the use of the intended recipient.
If you have received this email in error, please delete it and notify
the sender.
�m���� ��祊�l��?���j������
��i��0���zX���+���n��{�+i�^
Other related posts:
