Table of Contents
Advertisement
Protecting Database Password Verifiers
The OraclePasswordAccessibleDomains group in each identity management realm
is created automatically when the realm is created, and can be managed by using
Enterprise Security Manager. Enterprise domains with member databases that must
view users' database password verifiers in the directory are placed into this group.
For a selected realm, determine which databases can accept password-authenticated
connections. Use Enterprise Security Manager to place the domains containing
those databases into the OraclePasswordAccessibleDomains group. An ACL on the
user subtree permits access to the directory attribute that holds the password
verifier used by the database.
All other users are denied access to this attribute. An ACL that prevents anonymous
read access to the password verifier attributes is at the root of the directory tree.
Note that for usability, by default the OracleDefaultDomain is a member of the
OraclePasswordAccessibleDomains group. It can be removed, if desired.
Considerations for Defining Database Membership in Enterprise Domains
Consider the following criteria when defining the database membership of a
domain:
See Also:
"Managing Password Accessible Domains"
Oracle Internet Directory Administrator's Guide if you are not
storing your users in the subtree of an identity management
realm. This manual describes how to configure ACLs so
password-authenticated users can connect to databases.
Current user
database
enterprise
domain. Use of these links requires mutual trust between these
databases and between the DBAs who administer them.
Accepted authentication types for enterprise users are defined at the domain
level. Database membership in a domain should therefore be defined
accordingly. If one or more databases are intended to only support SSL-based
certificate authentication, they cannot be combined in the same domain with
password-authenticated databases.
Enterprise roles are defined at the domain level. To share an
across multiple databases, the databases must be members of the same domain.
Enterprise User Security Deployment Considerations
links operate only between databases within a single
Getting Started with Enterprise User Security 11-27
on page 13-23
enterprise role
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the Oracle Database B10772-01 and is the answer not in the manual?
Questions and answers