Databases Reference
In-Depth Information
ing system but do not necessarily want them mapped to one another. For
example, I can have an operating system user named Scott, and this is per-
haps someone who never uses the database, so I therefore don't want this
OS user to be able to automatically sign onto the database. This is why the
default is not an empty string. In some cases, you may want to change this
value to an empty string to simplify the mapping between users. Finally,
os_roles
allows you to control which roles are granted through the oper-
ating system rather than through the database and should be used when
you want the operating system to control not only authentication but also
parts of the authorization process.
Windows-based authentication in Oracle means that Oracle uses Win-
dows API calls to verify the identity of the connection request. This only
works when both the client and the server are running on Windows. You will
also need to set the following in your
$ORACLE_HOME\network\admin\
sqlnet.ora
(which is the default value when you install Oracle on
Windows):
SQLNET.AUTHENTICATION_SERVICES=(NTS)
If you set this value, you are telling the Oracle server that it should first
try to perform Windows authentication, and only if that is not possible it
should fall back on native authentication.
Let's see what takes place when such a connection is attempted when
starting up SQL*Plus on the client machine. In this case, you enter the
username, password, and service name in the SQL*Plus sign-on screen. The
TNS layer sees that you have NTS authentication configured on the client
side (by looking at
sqlnet.ora
), and therefore the client sends a connection
request to the server specifying that you would like to use NTS authentica-
tion. If the server is also configured to use Windows authentication, it will
accept the request; the client and server have negotiated to use Windows
authentication. You can actually see this action take place in the communi-
cation stream (for more on how to use packet sniffers and what these packet
dumps mean, please see Chapter 10).
For example, if you inspect the net-
work conversations between two Windows machines, you will constantly
see TNS packets marked as SNS (Secure Network Services), which is used
in the authentication process within TNS. You can see an example in Figure
4.3 (Windows authentication elements are highlighted in all three panes):
If you were to look at an authentication process with your client con-
necting to a UNIX or Linux machine, some of these packets would be miss-
ing because the server would immediately answer that it cannot do
Search WWH ::
Custom Search