We use windows domain authentification to connect our users to Oracle. Most of the time it works fine.
But we ran into unexpected problem.
Some usernames are longer than 30 symbols. So the syntax
CREATE USER OPS$SomeVeryLongDomain/SomeVeryLongLogin IDENTIFIED EXTERNALLY
just don't work.
(os_authent_prefix has a standard value OPS$).
Is it possible to use domain authentification for usernames longer than 30 symbols?
UPD
There definitely is a workaround for Kerberos authentication.
If the user's Kerberos principal name is longer than 30 characters, and up to 1024 characters, then create the user as follows:
SQL> CREATE USER db_user_name IDENTIFIED EXTERNALLY AS 'kerberos_principal_name'
For example:
SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser#EXAMPLE.COM';
But I cannot understand how to use the method for OS authentification and is it possible at all.
os_authent_prefix has a standard value OPS$
Well you can't go beyond 30 characters as that is the limit. Read External Authentication.
The os_authent_prefix parameter affects how Oracle matches a Windows username to an Oracle username when you're not using Windows group membership. Early versions of Oracle used a prefix of OPS$, which you would append to the beginning of the Oracle username used in external authentication. Because Oracle usernames are limited to 30 characters, using an OPS$ prefix effectively limited the username to the remaining 26 characters. To avoid using the OPS$ prefix, the Oracle database parameter file, the init.ora file (in the \%ORACLE_HOME%\database folder), should have the following setting (default Oracle9i and Oracle8i installations are configured to include this setting):
os_authent_prefix = ""
The parameter is provided for backward compatibility. Oracle doesn't recommend adding a prefix, thus the default empty setting is as shown. For a change to the OS_AUTHENT_PREFIX setting to take effect, you must shut down and restart the Oracle database instance.
Related
I am trying to create a new user from Oracle SQL Developer. I made a connection with the user Sys and the password that I entered in the installation of Oracle Database XE 18c.
When creating the user I get the error ORA-65096, I have searched the internet and the solution I found is to write the following:
alter session set "_ORACLE_SCRIPT" = true;
However, I want to know if it is possible to create the new user without using any SQL statement or script and do it from the Oracle SQL Developer interface, do I have to login with a different user than Sys to create a new user? or what do I have to do? Could someone give me a detailed explanation please. I am learning how to use this database and I want to try to understand what I am doing.
oerr ora 65096
65096, 00000, "invalid common user or role name"
// *Cause: An attempt was made to create a common user or role with a name
// that was not valid for common users or roles. In addition to >the
// usual rules for user and role names, common user and role names
// must consist only of ASCII characters, and must contain the >prefix
// specified in common_user_prefix parameter.
// *Action: Specify a valid common user or role name.
This implies that you are connected to the root container instead of to a regular plug in database (pdb) where applications should be built. The solution for you is not to overrule setting to enable building an application in the root container but to connect to the pdb that has been made to host your application.
you can check the available pdb's by viewing v$pdbs. The special pdb cdb$root is as the name already tries to tell, the root container. show PDBS will give similar output.
Using alter session set container = [pdb_name]; can be used to switch to your container of choice where regular rules apply.
Even better is to directly connect to that pdb using sqlnet.
I have problem logging in to one of the accounts in our database. The situation is like this.
The user has already logged in to his account environment on Linux, for example from his personal account
su - projectA
The user tries to run SQL*Plus using
[projectA#myDB2]$ sqlplus /
We are getting the message:
ORA-01017: invalid username/password: logon denied
I ran this command below and it has a missing prefix.
SQL> SHOW PARAMETER os_authent_prefix
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix string
SQL>
How do I set a prefix on os_authent_prefix?
You're allowed to have no value set for OS_AUTHENT_PREFIX, but if you do then the database account needs to be the same as the operating system account - i.e. projectA instead of OPS$projectA.
If you do want the account to have the OPS$ prefix then the initialisation parameter has to match. You can set it as #kfinity said in a comment:
alter system set OS_AUTHENT_PREFIX='OPS$' scope=spfile;
followed by a DB bounce. But as that is the default value (still, I think!) it's likely someone has intentionally cleared it, so proceed with caution.
The main thing is to be consistent. If you have other user accounts with OPS$ then you probably should have it set (and you can check the old DB you mentioned to see if the users and settings are the same). If you don't have any others then you need to verify whether any of the un-prefixed account names are identified externally via the dba_users.authentication_type column. If there are any then changing the initialisation parameter would break those.
Read more in the documentation:
Oracle SQL Developer 4.0.1.14
I currently have an Oracle database with a user who contains a set of tables, views, etc. However, I would like this schema to be shared among multiple people with different logins.
My company has a domain and each employee logs into their computers through this domain, for example
COMPANY_NAME/username
I am hoping to be able to use windows authentication to log each user into the database. This way everyone at the company will automatically have a login with a password they are used to.
In Oracle SQL Developer, I have tried ticking "OS Authentication", and received "Invalid username/password" upon testing the connection. Do I need to create an Oracle user for each domain?
I have also tried checking "Use OCI/Thick driver", but it cannot be checked unless "Use Oracle Client" is configured, which I'm also unsure about.
This question appears to be a duplicate:
Windows Authentication to Oracle for domain group, however the tutorial link is dead. I have not been able to find another tutorial for how to set this up anywhere.
There is a server-side parameter called os_authent_prefix that is typically set to OPS$, and the network user id needs to be prefixed with this in addition to having the IDENTIFIED EXTERNALLY option added to the create user statement.
So if your Windows account id is hambone, then your OS-authentication login would be OPS$hambone, and you don't need a password. I used it for years, and it never required the domain to be specified for a Windows account, which was nice because it meant the same credentials worked for my Unix account.
SQL*Plus, for example would look like:
sqlplus OPS$hambone/#myserver
Likewise, connection strings for applications just have nothing for the password.
For Toad, you would put OPS$hambone as userid and leave the password blank. SQL Developer, I'm honestly not sure -- I can't stand it; I use PL/SQL Developer, but with the various options they have I'd imagine you select OS authentication and/or put the OPS$hambone.
Read the caveats/security warnings on OS authentication. I think in a private network the risks are outweighed by the advantages, but that's for you to decide.
We have a requirement to make our products work on Oracle as well as SQL Server (around which they were originally built). Unfortunately we don't have any in house Oracle development experience to speak of but as a senior dev it has fallen to me to lead the project. So far I have managed to make our app connect to an Oracle database (I'm using Oracle XE 11.2) by using the following connection string:
Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=VS010-ORA11GR1)(PORT=1523))(CONNECT_DATA=(SERVICE_NAME=DEVORA)));User Id=dbo;Password=dbo;
The reason we decided to use this type of connection string is because we do not want to rely on changing tnsnames.ora on every client machine. However, as you can see this specifies an Oracle user and associated password. We also need to provide the ability to use the equivalent of SQL Server integrated security.
According to the literature I have read, to do this I simply need to specify / as the user id and then omit the password portion (as this is ignored anyway for Windows authentication). I also created the user in Oracle, making sure it matched the Windows user, with the following snippets:
CREATE USER "OPS$<DOMAIN>\<user>" IDENTIFIED EXTERNALLY;
GRANT CONNECT,RESOURCE TO "OPS$<DOMAIN>\<user>";
I also checked that the sqlnet.ora file on my local machine which hosts the XE instance and my dev environment contained the line:
SQLNET.AUTHENTICATION_SERVICES= (NTS)
I understood that this would enable my app to connect to the Oracle database uing Windows Authentication. However what actually happens is that I get the following Oracle error message:
ORA-01005: null password given; logon denied
this doesn't make much sense because of course its null - it's supposed to be, according to the tutorials I've read.
The app targets .Net Framework 3.5, we are using the System.Data.OracleProvider and the actual connecting and so on is handled by Enterprise Library 5. Incidentally, I am aware of the deprecation of the OracleClient component but I just want this to work before I go into the extra complexities of changing providers.
Can anyone tell me what I'm missing? Have I chosen the wrong type of connection string? I apologise for any basic mistakes but I have always managed to avoid Oracle until now so my knowledge of it is close to zero.
Many thanks
I had the same problem and solved after adding this to conn. string:
Integrated Security=yes
To expand on the answer above by #Stikut. I tested this out with NHibernate 3.3.3.GA and it works.
user id=/;password=;Integrated Security=yes
i'm developing a 32bit Client-Application with Delphi. From this application I need to connect to databases on two different servers. First databse character set ist WE8MSWIN1252, the other server decodes with WE8PC850. Setting the client NLS_LANG parameter to the correct value solves correct sql-query results.
Unfortunately this (the client character-set) seems only to be recognized on applications startup (first connect to oracle). I need to change the client-characterset at runtime. Oracle client seems to store the character set an application used to connect!
beside: I#m using udl-files to setup the connections (Microsoft OLE DB - driver)
what can I do?
You could use ALTER SESSION calls to change the settings at the session level after connecting to the database.
I need to change the
client-characterset at runtime.
Why ? I would have thought what you want at the client end is a character set that is acceptable to the operating environment and end-user.
Pick out a character set such as UTF-8 and let Oracle handle the conversion between the client character set and the two database character sets.