SQL> create user hxy4 identified bysys123; // 通过by这个关键字来确定认证方式为数据库身份认证
User created.
——如果使用外部身份验证创建用户账户,Oracle 会将身份验证委托给外部服务。它不会提示输入口令。如果为启用 Advaned Security 选项,则唯一可以使用得外部身份验证方形式是操作系统身份验证。此技术使用与操作系统用户账户同样的名称创建 Oracle 用户账户,但在前面加OS_AUTHENT_PREFIX 实例参数指定的字符串。此参数默认为 OPS$ 字符串。可以用下列语句查询:
SQL> show parameter os_authent_prefix NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ os_authent_prefix string ops$ SQL> 或者: SQL> select value from v$parameter where name='os_authent_prefix' 2 / VALUE -------------------------------------------------------------------------------- ops$
创建外部操作系统身份验证的用户很简单,假如有一个操作系统用户名为 dragon,则:
对于 LINUX 系统: create user ops$dragon identified externally; 对于 WINDOWS 系统,假如登陆 ID 是 Dragon,域名是 MIS: create user "OPS$MIS\DRAGON" identified externally;
创建好用户后,以 dragon 身份登录到操作系统,然后在直接输入:sqlplus / 进行登录并连接到数据库。
另外,使用OS_AUTHENT_PREFIX=OPS$时:提供了灵活的用户验证方式,既可通过操作系统进行验证,也可通过Oracle 服务器进行验证。在这种情况下,DBA 可通过输入下列格式的命令创建用户:
CREATE USER ops$user IDENTIFIED BY password ...
登录到运行Oracle 服务器的计算机上的用户无需提供口令。如果用户从远程客户机连接,则可提供口令以实现连接。
Some operating systems let Oracle use information they maintain to authenticate
users, with the following benefits:
■ Once authenticated by the operating system, users can connect to Oracle more
conveniently, without specifying a user name or password. For example, an
operating-system-authenticated user can invoke SQL*Plus and skip the user name
and password prompts by entering the following:
■ With control over user authentication centralized in the operating system, Oracle
need not store or manage user passwords, though it still maintains user names in
the database.
■ Audit trails in the database and operating system use the same user names.
When an operating system is used to authenticate database users, managing
distributed database environments and database links requires special care.
一个用于管理身份的新兴标准时使用 LDAP 服务器。Oracle Internet Directory(OID) 就是 Oracle 符合 LDAP 标准的一个产品,全局用户就是在 LDAP 目录中定义的用户。
[oracle@dsg2 dbs]$ mv orapwdsg02 orapwdsg02.bak ----注释掉密码文件
[oracle@dsg2 dbs]$ sqlplus sys/oracle@dsg02 as sysdba
SQL*Plus: Release Production on Wed Jul 24 12:07:37 2013
Copyright (c) 1982, 2009, Oracle. All rights reserved.
ORA-01031: insufficient privileges
Enter user-name:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[oracle@dsg2 dbs]$ mv orapwdsg02.bak orapwdsg02
[oracle@dsg2 dbs]$ sqlplus sys/oracle@dsg02 as sysdba
SQL*Plus: Release Production on Wed Jul 24 12:10:04 2013
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options ------登陆成功
查看是否允许远程登录使用口令文件进行身份验证,有三个取值: SHARED/EXCLUSIVE/NONE,为 NONE 的话表示不允许远程使用口令文件验证,如远程用SYS账号连接 Oracle 将会报错,如下面。
SQL> show parameter remote_login_passwordfile NAME TYPE VALUE ------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE SQL>
SQL> alter system set remote_login_passwordfile='NONE' scope=spfile 2 / System altered. 重启生效
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup force 进行远程连接,报错,实际是参数值被更改: SQL> conn sys/hxy@lcro as sysdba ERROR: ORA-01017: invalid username/password; logon denied
SQL> show parameter remote_login
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ remote_login_passwordfile string NONE
SQL> select * from v$pwfile_users 2 / USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE
$ORACLE_HOME/network/admin/sqlnet.ora 配置文件中 SQLNET.AUTHENTICATION_SERVICES 参数,有三个取值: