Hi,
I have clients using an application that allows users to change their
passwords. The application uses the 'ALTER USER xxx IDENTIFIED
BY.....' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.
Basically I need to keep the user's password in sync between two
different databases.
I also cannot change the application in anyway and therefore need to
do this from the Oracle side.
Any ideas would be great.........
21  3423 
Hi,
This all sounds a bit like hacking to me, not the best way to solve a
problem!, - maybe it would be better to ask the application
manufacturer?.
BUT, there are a number of possibilities that you could try, you could
implement a layer above OCI (it should be OCI unless its the thin
driver) and basically get the third party application to call your
version of OCI first, extract the string and then call the real OCI
layer. This is a hard way to crack the problem though. If it is java you
could do something illegal and decompile the java and modify it and
recompile - your supplier would not support you though!!!!
You don't have to access the username and password either in the
application, you could just run a process regularly that synchronises
password hashes between the databases using the "identified by values"
version of alter user. This would depend on how long you can wait for
passwords to synchronise. You could also use single sign on?
You could also grab the text off the wire or via trace, my recent paper
called "detecting SQL injection in Oracle" might help. You can get it at http://www.petefinnigan.com/orasec.htm. Finally you might be able to
find a way to screen scrape the application at the terminal level -
there are a few commercial products to do this, mainly used for
automated testing.
hth
kind regards
Pete
PS: please don't cross post, most people read all of these groups!
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Lasher wrote: Hi,
I have clients using an application that allows users to change their
passwords. The application uses the 'ALTER USER xxx IDENTIFIED
BY.....' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.
Basically I need to keep the user's password in sync between two
different databases.
I also cannot change the application in anyway and therefore need to
do this from the Oracle side.
Any ideas would be great.........
Go to $ORACLE_HOME/rdmbs/admin
Look at the file utlpwdmg.sql
If you have any business doing this you will be able to fill in the rest
of the picture.
Personally I agree with Pete. This is nonsense and worse than nonsense a
huge violation
of any reasonable definition of system security. The OEM should fix the
problem. And
my advise to you would be not to do this. That it can be done doesn't
mean that it should
be done. The entire idea stinks.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Daniel Morgan <da******@x.washington.edu> wrote in message news:<1068147990.413220@yasure>... Lasher wrote:
Hi,
I have clients using an application that allows users to change their
passwords. The application uses the 'ALTER USER xxx IDENTIFIED
BY.....' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.
Basically I need to keep the user's password in sync between two
different databases.
I also cannot change the application in anyway and therefore need to
do this from the Oracle side.
Any ideas would be great.........
Go to $ORACLE_HOME/rdmbs/admin
Look at the file utlpwdmg.sql
If you have any business doing this you will be able to fill in the rest
of the picture.
Personally I agree with Pete. This is nonsense and worse than nonsense a
huge violation
of any reasonable definition of system security. The OEM should fix the
problem. And
my advise to you would be not to do this. That it can be done doesn't
mean that it should
be done. The entire idea stinks.
I'm not sure what is so wrong about this, at least using Pete's
suggestion of Identified by Values in a non-public environment? It
seems as reasonable as, say, copying /etc/passwd (or shadow
equivalents) and user files to synchronize users on two identical
servers.
jg
--
@home.com is bogus. http://www.signonsandiego.com/news/m...9_2m6wage.html
Joel Garry wrote: Daniel Morgan <da******@x.washington.edu> wrote in message news:<1068147990.413220@yasure>...
Lasher wrote:
Hi,
I have clients using an application that allows users to change their
passwords. The application uses the 'ALTER USER xxx IDENTIFIED
BY.....' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.
Basically I need to keep the user's password in sync between two
different databases.
I also cannot change the application in anyway and therefore need to
do this from the Oracle side.
Any ideas would be great.........
Go to $ORACLE_HOME/rdmbs/admin
Look at the file utlpwdmg.sql
If you have any business doing this you will be able to fill in the rest
of the picture.
Personally I agree with Pete. This is nonsense and worse than nonsense a
huge violation
of any reasonable definition of system security. The OEM should fix the
problem. And
my advise to you would be not to do this. That it can be done doesn't
mean that it should
be done. The entire idea stinks.
I'm not sure what is so wrong about this, at least using Pete's
suggestion of Identified by Values in a non-public environment? It
seems as reasonable as, say, copying /etc/passwd (or shadow
equivalents) and user files to synchronize users on two identical
servers.
jg
--
@home.com is bogus.
http://www.signonsandiego.com/news/m...9_2m6wage.html
My objection is that it would take me a matter of minutes to make myself
an account on another
machine on which I had no permissions. It is a hacker's delight.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
>> My objection is that it would take me a matter of minutes to make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Pete Finnigan wrote: My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a
database.
I've never seen an application with this architecture in 34 years in the
business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
"Daniel Morgan" <da******@x.washington.edu> wrote in message news:1068245466.11957@yasure...
Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a database.
I've never seen an application with this architecture in 34 years in the business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)--------------Actually one of the databases I manage runs on an application which doessomething similar (Not the synchronization .. but the way it creates application accounts ....by creating an Oracle account). The application being Bladerunner.If you ever get a chance .. run (really fast) away from it.:0)Anurag
Anurag Varma wrote:
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>> wrote in message
news:1068245466.11957@yasure...
Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to
crack a database.
I've never seen an application with this architecture in 34 years
in the business.
I'd really like to be wrong.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
--------------
Actually one of the databases I manage runs on an application which does
something similar (Not the synchronization .. but the way it creates application accounts ...
by creating an Oracle account). The application being Bladerunner.
If you ever get a chance .. run (really fast) away from it.
:0)
Anurag
I'll do that.
BTW: I've tried to email you off-line and failed. Please send me your
actual email address off-line. Thanks.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Daniel,
I think I did reply you offline .. but not sure if the mail reached you.
Anyway, I realized that the email I was using to mail from this location
was wrong.
My email is: av***@hotmail.com
Anurag
"Daniel Morgan" <da******@x.washington.edu> wrote in message news:1068311431.525724@yasure...
Anurag Varma wrote:
"Daniel Morgan" <da******@x.washington.edu> wrote in message news:1068245466.11957@yasure...
Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a database.
I've never seen an application with this architecture in 34 years in the business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)--------------Actually one of the databases I manage runs on an application which doessomething similar (Not the synchronization .. but the way it creates application accounts ....by creating an Oracle account). The application being Bladerunner.If you ever get a chance .. run (really fast) away from it.:0)Anurag I'll do that.
BTW: I've tried to email you off-line and failed. Please send me your actual email address off-line. Thanks.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Anurag Varma wrote: Daniel,
I think I did reply you offline .. but not sure if the mail reached you.
Anyway, I realized that the email I was using to mail from this location
was wrong.
My email is: av***@hotmail.com <mailto:av***@hotmail.com>
Anurag
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>> wrote in message
news:1068311431.525724@yasure...
Anurag Varma wrote:
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>> wrote in message
news:1068245466.11957@yasure...
Pete Finnigan wrote:
> My objection is that it would take me a matter of minutes to
>
>
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying
to crack a database.
I've never seen an application with this architecture in 34
years in the business.
I'd really like to be wrong.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
--------------
Actually one of the databases I manage runs on an application which does
something similar (Not the synchronization .. but the way it creates application accounts ...
by creating an Oracle account). The application being Bladerunner.
If you ever get a chance .. run (really fast) away from it.
:0)
Anurag
I'll do that.
BTW: I've tried to email you off-line and failed. Please send me
your actual email address off-line. Thanks.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Thanks. I'll get back to you off-line.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Daniel Morgan <da******@x.washington.edu> wrote in message news:<1068245466.11957@yasure>... Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a
database.
I've never seen an application with this architecture in 34 years in the
business.
Well, what do you think of SSO in Portal? The whole idea is to spread
a single password among apps. Then they give code to show the
passwords to admins! (ie, metalink note 205984.1). And you wind up
with two passwords, one of which is used in some places and the other
in others (such as whether you make all the, ahem, required public
synonyms through portal or sqlplus). IDENTIFIED GLOBALLY requires
some sort of syncronization between db's, and/or careful use of schema
independence.
I'd really like to be wrong.
You may well be right, but By Values has been common knowledge for
generations. A couple of times I've almost written things like the OP
asked for, but it always turned out to be not necessary due to the
methods of copying the db. It's easy to envision an architecture like
that, though, particularly with unique ETL requirements. I've seen
worse - like admins keeping passwords in email so they know what to
change them all to manually.
jg
--
@home.com is bogus. http://cbs.marketwatch.com/news/stor...le&dist=google
Hi,
This all sounds a bit like hacking to me, not the best way to solve a
problem!, - maybe it would be better to ask the application
manufacturer?.
BUT, there are a number of possibilities that you could try, you could
implement a layer above OCI (it should be OCI unless its the thin
driver) and basically get the third party application to call your
version of OCI first, extract the string and then call the real OCI
layer. This is a hard way to crack the problem though. If it is java you
could do something illegal and decompile the java and modify it and
recompile - your supplier would not support you though!!!!
You don't have to access the username and password either in the
application, you could just run a process regularly that synchronises
password hashes between the databases using the "identified by values"
version of alter user. This would depend on how long you can wait for
passwords to synchronise. You could also use single sign on?
You could also grab the text off the wire or via trace, my recent paper
called "detecting SQL injection in Oracle" might help. You can get it at http://www.petefinnigan.com/orasec.htm. Finally you might be able to
find a way to screen scrape the application at the terminal level -
there are a few commercial products to do this, mainly used for
automated testing.
hth
kind regards
Pete
PS: please don't cross post, most people read all of these groups!
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
> My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Pete Finnigan wrote:
>> My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a
database.
I've never seen an application with this architecture in 34 years in the
business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
"Daniel Morgan" <da******@x.washington.eduwrote in message news:1068245466.11957@yasure...
Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a database.
I've never seen an application with this architecture in 34 years in the business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)--------------Actually one of the databases I manage runs on an application which doessomething similar (Not the synchronization .. but the way it creates application accounts ....by creating an Oracle account). The application being Bladerunner.If you ever get a chance .. run (really fast) away from it.:0)Anurag
Anurag Varma wrote:
>
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>wrote in message
news:1068245466.11957@yasure...
Pete Finnigan wrote:
>>> My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to
crack a database.
I've never seen an application with this architecture in 34 years
in the business.
I'd really like to be wrong.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
--------------
Actually one of the databases I manage runs on an application which does
something similar (Not the synchronization .. but the way it creates application accounts ...
by creating an Oracle account). The application being Bladerunner.
If you ever get a chance .. run (really fast) away from it.
:0)
Anurag
I'll do that.
BTW: I've tried to email you off-line and failed. Please send me your
actual email address off-line. Thanks.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Daniel,
I think I did reply you offline .. but not sure if the mail reached you.
Anyway, I realized that the email I was using to mail from this location
was wrong.
My email is: av***@hotmail.com
Anurag
"Daniel Morgan" <da******@x.washington.eduwrote in message news:1068311431.525724@yasure...
Anurag Varma wrote:
"Daniel Morgan" <da******@x.washington.eduwrote in message news:1068245466.11957@yasure...
Pete Finnigan wrote:
My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a database.
I've never seen an application with this architecture in 34 years in the business.
I'd really like to be wrong.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)--------------Actually one of the databases I manage runs on an application which doessomething similar (Not the synchronization .. but the way it creates application accounts ....by creating an Oracle account). The application being Bladerunner.If you ever get a chance .. run (really fast) away from it.:0)Anurag I'll do that.
BTW: I've tried to email you off-line and failed. Please send me your actual email address off-line. Thanks.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Anurag Varma wrote:
Daniel,
I think I did reply you offline .. but not sure if the mail reached you.
Anyway, I realized that the email I was using to mail from this location
was wrong.
My email is: av***@hotmail.com <mailto:av***@hotmail.com>
Anurag
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>wrote in message
news:1068311431.525724@yasure...
Anurag Varma wrote:
>>
"Daniel Morgan" <da******@x.washington.edu
<mailto:da******@x.washington.edu>wrote in message
news:1068245466.11957@yasure...
Pete Finnigan wrote:
>>>> My objection is that it would take me a matter of minutes to
>
>
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying
to crack a database.
I've never seen an application with this architecture in 34
years in the business.
I'd really like to be wrong.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
--------------
Actually one of the databases I manage runs on an application which does
something similar (Not the synchronization .. but the way it creates application accounts ...
by creating an Oracle account). The application being Bladerunner.
If you ever get a chance .. run (really fast) away from it.
:0)
Anurag
I'll do that.
BTW: I've tried to email you off-line and failed. Please send me
your actual email address off-line. Thanks.
--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Thanks. I'll get back to you off-line.
--
Daniel Morgan http://www.outreach.washington.edu/e...ad/oad_crs.asp http://www.outreach.washington.edu/e...oa/aoa_crs.asp da******@x.washington.edu
(replace 'x' with a 'u' to reply)
Daniel Morgan <da******@x.washington.eduwrote in message news:<1068245466.11957@yasure>...
Pete Finnigan wrote:
> My objection is that it would take me a matter of minutes to
make myself an account on another
machine on which I had no permissions. It is a hacker's delight.
Hi Daniel,
I think there is another point to make here is that we are not
implementing this but just discussing possible solutions without knowing
the application or architecture, tools, requirements etc.... I would say
that a script to synchronise password hash values should be run in a
secure manner and also would not add new accounts, just synchronise old
ones. I would also re-iterate this isn't the way to fix an issue like
this, why does this application need to have synchronised access to two
databases? and why isn't the manufacturer involved.
kind regards
Pete
My personal opinion? The person asking the question is trying to crack a
database.
I've never seen an application with this architecture in 34 years in the
business.
Well, what do you think of SSO in Portal? The whole idea is to spread
a single password among apps. Then they give code to show the
passwords to admins! (ie, metalink note 205984.1). And you wind up
with two passwords, one of which is used in some places and the other
in others (such as whether you make all the, ahem, required public
synonyms through portal or sqlplus). IDENTIFIED GLOBALLY requires
some sort of syncronization between db's, and/or careful use of schema
independence.
>
I'd really like to be wrong.
You may well be right, but By Values has been common knowledge for
generations. A couple of times I've almost written things like the OP
asked for, but it always turned out to be not necessary due to the
methods of copying the db. It's easy to envision an architecture like
that, though, particularly with unique ETL requirements. I've seen
worse - like admins keeping passwords in email so they know what to
change them all to manually.
jg
--
@home.com is bogus. http://cbs.marketwatch.com/news/stor...le&dist=google This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ton |
last post by:
I have a question about connectivity between different databases.
Oracle, DB2400 and SQL_server.
It is easy to integrate application products that are running on
different DB platforms?
What...
|
by: susmita_ganguly |
last post by:
Hi
I am trying to upgrade from oracle 8i to oracle 9i on the same server
..I don't know much abt migration .
Can anyone help me out.
Thanks.
Susmita
|
by: Azhar Bilgrami |
last post by:
Dear
Hi:
Hope to see u in good health.
" I want to migrate a database which is currently running
Unix as Operating System and Oracle ver 6 as
Database, it is also using oracle froms version 3...
|
by: Rhino |
last post by:
One of my friends, Scott, is a consultant who doesn't currently have
newsgroup access so I am asking these questions for him. I'll be telling him
how to monitor the answers via Google Newsgroup...
|
by: AnandaSim |
last post by:
Hi All,
I've had Access 97, 2000 connections to the corporate Oracle database
for a few years now - but seldom use it. When I did use it years ago,
performance was not fast but the features were...
|
by: Top Poster |
last post by:
Hi all,
I am trying to work out how I can use impersonation to connect to an Oracle
9i database such that I can avoid sending a clear text username and password
to the Oracle server.
We are...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
| |
