Different Oracle Authentication Type
Oracle Authentication can be of following type:
1.) Password:
This is also referred as authentication by database.
2.) External:
This is also referred as authentication by OS. With external authentication, your database relies on underlying OS or network services to restrict access to database accounts. User can connect oracle database without specifying user name and password.
3.) Global:
Allows users to be identified through the use of biometrics, x509 certificates, token devices and Oracle Internet Directory.
The password file: The problem, password file addresses is how to authenticate a user when the database is not open, or indeed before the database has even been created or an instance started. Users are nothing more than rows in a table in the data dictionary. You can see them and their encrypted passwords by querying the data dictionary view DBA_USERS. When you create a user, you are simply inserting rows into the data dictionary.
It is therefore vitally important that Oracle should authenticate you, before letting you connect as such a user. But if the database is not already created and open, how can Oracle query the data dictionary to validate your username and password, and thus work out who you are and what you are allowed to do? To resolve this paradox, Oracle has provided two means of authentication that are not data dictionary based and therefore do not require the database to be open, or even to exist. These are:
1.) Operating System authentication
2.) Password file authentication.
For operating system authentication, Oracle delegates responsibility for identifying a user to the host operating system. At installation time (not database creation time!) you specified an operating system group name that would own the Oracle software, defaulting to dba on Unix, ORA_DBA on Windows. If you are logged on to the computer hosting the Oracle installation as a member of that group, then you will be allowed to connect (using appropriate syntax) to an instance, start it up, and open or create a database without any username/password prompt. Clearly, this relies totally on your operating system being secure, which it should be: that is out of Oracle’s control and relies on decent system administration.
But this mechanism can’t work if you are connecting to the instance remotely, across a network: you will never actually log on to the operating system of the machine hosting the Oracle server, only to the machine where you are working. This is where the password file comes in: it is an operating system file, with usernames and passwords encrypted within it, that exists independently of the database. Using appropriate syntax, you can connect to an instance, respond to a prompt with a username/password combination that exists in the password file, start the instance, and open an existing database or create a new one. If you do not need to start the instance and open the database across a network but you can always log on to the computer hosting the Oracle installation, then a password file is not strictly necessary because you can use operating system authentication instead. However, for practical purposes, you will always have one.
Ordinary users cannot start up or shut down a database. This is because an ordinary user is authenticated against the data dictionary, and it is logically impossible for an ordinary user to start up (or create) a database, since the data dictionary cannot be read until the database is open.
We must therefore connect with some form of external authentication: you must be authenticated either by the operating system, as being a member of the group that owns the Oracle software, or by giving a username/password combination that exists in the external password file. You tell Oracle that you wish to use external authentication by using appropriate syntax in the CONNECT command that you give in your user process. If you are using Database Control, it is easy: in the Connect As combo box you select either SYSOPER or SYSDBA.
These are the possibilities:
connect user/pass[@db] : data dictionary authentication.
connect user/pass[@db] as sysdba : external password file
connect user/pass[@db] as sysoper : external password file
connect / as sysdba : OS authentication
connect / as sysoper : OS authentication
No comments:
Post a Comment