Windows Authentication to Oracle for domain group - windows

I know that it is possible to use "OS authentication" to authenticate Windows users in Oracle database. The process is basically passing current Windows user id to Oracle for authentication.
The question is - is it possible to authenticate domain group in Oracle (as it is possible with SQL Server integrated security), so that there would be no need to create separate database user for each domain member?

It is possible.
Oracle has a whitepaper on this, and here's a tutorial,

I don't think this is possible, but I would love to be proven wrong.

Related

Oracle ORDS SQL WEB setup to store app users data

I am new to development and learning through lot of youtube videos and oracle documentation. I have a question for which I was not able to find a solution online and was hoping someone could help answer it here..
I want to use oracle free tier cloud based autonomous transactional database and create the rest api on it using the below url as a reference.
https://oracle.github.io/learning-library/developer-library/rest-services-for-adb-appDevLive/workshops/freetier/?lab=secure-endpoints#Task1:SecuringtheRESTEndpoint
However my question is if I create a web app where I can get the user to create account using username and password, what is the best practice to store the data and retrive for auth in the oracle database for auth user.
Is there a credentials table where I can store all the username and password details or should I use a encypted table.
Also, Can someone please help advise how to create sql post method query to retrieve the user creds for validation.
Thank you for all your guidence.
Thank you!
In the database you have a schema - this is the collection of objects -
tables
views
stored procedures
rest apis
these are owned by a USER. A database user and schema in Oracle are largely synonymous and a user will have a password.
You then also have your application. Your application most likely also has users. These are completely different users than what you have in the database.
Now, your application COULD use database authentication, but that's highly not recommended. Why? Because then your application users could also theoretically go directly into the database.
It's not clear by your question if you're asking how to manage database usernames and passwords in general or if you mean in terms of your application.
For your application, we recommend you use either our OAuth2 workflows to secure your REST APIs, or you build your own authentication system...for example you could control access to your APIs in the Oracle Cloud using the API Gateway Service.
For managing passwords in the database, you should most definitely NOT store those in a table somewhere. THe user when they get their password, should securely manage that as they would the password to their online banking system.
The web interface we have would work just fine with online password managers like LastPass, but I'm not personally advocating or saying that would be good for your scenario.
Running SQL to find out someone's password isn't really what we do in Oracle. Either you already know it, or you change the password to something so that you definitely know it.

Creat a new user in Obiee12c

How to create a new user account in OBIEE 12c? What is LDAP?
enter image description here
I go to Application Roles to create a role.
See: Provider Oracle Database (not LDAP)
Honest answer is "it depends".
OBI comes with a security provider which is embedded inside Weblogic where you can manage users and groups.
I say can because that's an approach which Oracle itself does not suggest for production systems. Pretty much every implementation uses some proper enterprise level LDAP or MS Active Directory which is then configured as an additional security provider for the Weblogic backend.
Best first try to understand how security works and then take your decision based on what is the most appropriate for your use case:
https://youtu.be/JUCZwQOmBn8

Oracle return difference result from the same user but difference windows user

I have two users on windows server
Administrator
devUser
Both can use SQL Developer to connect to Oracle 11g Server (Oracle e-Business suite) but in the same query (from synonym) they got the difference result: devUser got the correct result and Administrator got null in first three columns.
SELECT * from XXAUTO.XXFND_OU_COMPANY_V
where ou_name like 'ASL%'
Query Result from Administrator(Windows User)
Seems like the view has some form of VPD in place. Oracle supports Fine-Grained Access Control through its DBMS_RLS package, which despite the name allows us to implement security policies on columns as well as rows (since 10g). Find out more.
The common model is, when users connect to the database a LOGON trigger populates an application context with details about them. These details are used to generate as additional filters on tables and views which have security policies in place. You can confirm this by using the pertinent views: start with ALL_POLICIES and drill down depending on what you find.
It's possible the view implements a hand-rolled version of this (FGAC is an Enterprise Edition feature) but if you're using EBS that seems unlikely.
Another option is that your database is protected by Oracle Database Vault. This product is a chargeable extra to the EE license. It is a very powerful tool, and one of its uses is to prevent super users like sysadmins or DBAs abusing their privileges to look at sensitive data. It seems unlikely that an organisation would put Database Vault in place on a server that developers have access to but I offer this suggestion for completeness. Find out more.
Thank you for all.
Now I found the problem that is both user set the different Windows locale.

Windows Domain Logins on Oracle SQL Developer

Oracle SQL Developer 4.0.1.14
I currently have an Oracle database with a user who contains a set of tables, views, etc. However, I would like this schema to be shared among multiple people with different logins.
My company has a domain and each employee logs into their computers through this domain, for example
COMPANY_NAME/username
I am hoping to be able to use windows authentication to log each user into the database. This way everyone at the company will automatically have a login with a password they are used to.
In Oracle SQL Developer, I have tried ticking "OS Authentication", and received "Invalid username/password" upon testing the connection. Do I need to create an Oracle user for each domain?
I have also tried checking "Use OCI/Thick driver", but it cannot be checked unless "Use Oracle Client" is configured, which I'm also unsure about.
This question appears to be a duplicate:
Windows Authentication to Oracle for domain group, however the tutorial link is dead. I have not been able to find another tutorial for how to set this up anywhere.
There is a server-side parameter called os_authent_prefix that is typically set to OPS$, and the network user id needs to be prefixed with this in addition to having the IDENTIFIED EXTERNALLY option added to the create user statement.
So if your Windows account id is hambone, then your OS-authentication login would be OPS$hambone, and you don't need a password. I used it for years, and it never required the domain to be specified for a Windows account, which was nice because it meant the same credentials worked for my Unix account.
SQL*Plus, for example would look like:
sqlplus OPS$hambone/#myserver
Likewise, connection strings for applications just have nothing for the password.
For Toad, you would put OPS$hambone as userid and leave the password blank. SQL Developer, I'm honestly not sure -- I can't stand it; I use PL/SQL Developer, but with the various options they have I'd imagine you select OS authentication and/or put the OPS$hambone.
Read the caveats/security warnings on OS authentication. I think in a private network the risks are outweighed by the advantages, but that's for you to decide.

Oracle Connection String With Windows Authentication

We have a requirement to make our products work on Oracle as well as SQL Server (around which they were originally built). Unfortunately we don't have any in house Oracle development experience to speak of but as a senior dev it has fallen to me to lead the project. So far I have managed to make our app connect to an Oracle database (I'm using Oracle XE 11.2) by using the following connection string:
Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=VS010-ORA11GR1)(PORT=1523))(CONNECT_DATA=(SERVICE_NAME=DEVORA)));User Id=dbo;Password=dbo;
The reason we decided to use this type of connection string is because we do not want to rely on changing tnsnames.ora on every client machine. However, as you can see this specifies an Oracle user and associated password. We also need to provide the ability to use the equivalent of SQL Server integrated security.
According to the literature I have read, to do this I simply need to specify / as the user id and then omit the password portion (as this is ignored anyway for Windows authentication). I also created the user in Oracle, making sure it matched the Windows user, with the following snippets:
CREATE USER "OPS$<DOMAIN>\<user>" IDENTIFIED EXTERNALLY;
GRANT CONNECT,RESOURCE TO "OPS$<DOMAIN>\<user>";
I also checked that the sqlnet.ora file on my local machine which hosts the XE instance and my dev environment contained the line:
SQLNET.AUTHENTICATION_SERVICES= (NTS)
I understood that this would enable my app to connect to the Oracle database uing Windows Authentication. However what actually happens is that I get the following Oracle error message:
ORA-01005: null password given; logon denied
this doesn't make much sense because of course its null - it's supposed to be, according to the tutorials I've read.
The app targets .Net Framework 3.5, we are using the System.Data.OracleProvider and the actual connecting and so on is handled by Enterprise Library 5. Incidentally, I am aware of the deprecation of the OracleClient component but I just want this to work before I go into the extra complexities of changing providers.
Can anyone tell me what I'm missing? Have I chosen the wrong type of connection string? I apologise for any basic mistakes but I have always managed to avoid Oracle until now so my knowledge of it is close to zero.
Many thanks
I had the same problem and solved after adding this to conn. string:
Integrated Security=yes
To expand on the answer above by #Stikut. I tested this out with NHibernate 3.3.3.GA and it works.
user id=/;password=;Integrated Security=yes

Resources