RE: Replacing OPS$ accounts

• From: "Blanchard, William" <wblanchard@xxxxxxxxxxxxxxxxxxxx>
• To: "Neil Chandler" <neil_chandler@xxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>, <oracledba@xxxxxxxxxxx>
• Date: Fri, 11 Jun 2010 15:58:39 -0500

"I not sure that you have stated what you are trying to achieve here"
Good question ;-).  It's Friday and I need a beer ;-).  

 

We have remote_os_authent set to true so that the application - on a
different server - can authenticate the users once they have logged into
the application (an SSO of sorts).  I guess what I'm really looking for
is the "best practice" to secure the database given the constraints of
having the OPS$ accounts.  I don't mind if the users can get into the
database via the application, the issue is that this also means they can
log into the db using sqlplus, etc.

 

 

WGB

 

From: Neil Chandler [mailto:neil_chandler@xxxxxxxxxxx] 
Sent: Friday, June 11, 2010 3:38 PM
To: Blanchard, William; oracle-l@xxxxxxxxxxxxx; oracledba@xxxxxxxxxxx
Subject: RE: Replacing OPS$ accounts

 

William,

I not sure that you have stated what you are trying to achieve here. Why
are you trying to get rid of the OPS$ accounts if that is the way that
the application works? If you want the accounts locked (i.e. so they are
completely unusable), use the ALTER USER <username> ACCOUNT LOCK
command, or drop the users.

What are you trying to prevent? Users logging into the application, or
users logging into the database using SQL*Plus, TOAD or some other "back
door" application?

There is nothing implicitly wrong with using OPS$ accounts, as long as
you are not allowing remote_os_authent (and thus allowing the potential
for an account to be spoofed on another platform). You are simply
transferring the authorisation from Oracle to the Operating system. 

regards

Neil Chandler
Oracle DBA

  _____  

Subject: Replacing OPS$ accounts
Date: Fri, 11 Jun 2010 12:02:34 -0500
From: wblanchard@xxxxxxxxxxxxxxxxxxxx
To: oracle-l@xxxxxxxxxxxxx; oracledba@xxxxxxxxxxx

Greetings,

We have a legacy app that is currently using OPS$ accounts to log the
users into the database.  Since this is a purchased application that is
no longer supported by the company we purchased it from, changing the
code isn't possible.  Has anyone found a way to get rid of these
accounts?  If not, is there a "best practice" for locking down the OPS$
accounts?

 

Thank you,

WGB

-



This email and any information, files, or materials transmitted with it

are confidential and are solely for the use of the intended recipient.

If you have received this email in error, please delete it and notify

the sender.

 

  _____  

Get a new e-mail account with Hotmail - Free. Sign-up now.
<http://clk.atdmt.com/UKM/go/197222280/direct/01/> 

• Follow-Ups:
  • Re: Replacing OPS$ accounts
    • From: Yechiel Adar

• References:
  • Replacing OPS$ accounts
    • From: Blanchard, William

Other related posts:

• » Replacing OPS$ accounts- Blanchard, William
• » Re: Replacing OPS$ accounts- Stephane Faroult
• » Re: Replacing OPS$ accounts- Mayen . Shah
• » RE: Replacing OPS$ accounts- Blanchard, William
• » RE: Replacing OPS$ accounts- Blanchard, William
• » RE: Replacing OPS$ accounts- D'Hooge Freek
• » RE: Replacing OPS$ accounts- Mayen . Shah
• » RE: Replacing OPS$ accounts- Johnson, William L (TEIS)
• » RE: Replacing OPS$ accounts - Blanchard, William
• » Re: Replacing OPS$ accounts- Yechiel Adar

1. Home
2. oracle-l
3. Archive
4. 06-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---