Re^7: DBI Password connection to Oracle

If you use a unix account for verification, you need to have the password working (and you need to pass the user and password from the perl script).

Not so... in fact, that's the point of "identified externally". "With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login." reference

The system service accounts such as nobody don't have a working password and therefor are unusable, the normal user accounts have working passwords, but have access to loginto the system (as implied from the OP) and therefor would have access to both their user:pass and the systems user:pass database (indirectly).

That I'm not sure of - whether or not it would validate that 'nobody' was logged in and pass that through or not... worth a try though. But again, you are not passing the UNIX password - since the user is already logged in, it's using UNIX's authentication of the user itself.

Going back to the ssh example (and this ties into your second point) - the use of public/private challenge and response keys exhibit a way to verify login over a network without passing unencrypted sensitive data. But all of this needs to be tested and it depends on what type of UNIX the OP is using, as well as the type of Oracle.

Comment on Re^7: DBI Password connection to Oracle

Replies are listed 'Best First'.
Re^8: DBI Password connection to Oracle by waswas-fng (Curate) on Jun 28, 2005 at 18:46 UTC
You are misreading what external is -- it just passes the auth that is submitted to oracle from a client to the OS for verification instead of using its internal user db. Or in the case of a local client (running on the same server as oracle server) then it allows users that have already authed to that server to use the databse (the OP states that there will be remote clients). from your link: If a user with an operating system account named tsmith is to connect to an Oracle database and be authenticated by the operating system... This means you are still passing username and password from the client perl script -- however on the oracle server side instead of authing against its own internal user db, it passes to the OS. There is nothing here that makes it magically not need a user or password on/in the client script. -Waswas	[reply]
Re^9: DBI Password connection to Oracle by Transient (Hermit) on Jun 28, 2005 at 19:00 UTC
Yes, I should have stated that my assumption was that the user was already logged in on the DB server (by whatever means) and this is tied to the user on the networked server. However, for a local system, no password is required to be passed to Oracle. See here: the idea is to make it so you don't have an oracle password at all. you log into the OS and the database trusts you are who the OS says you are. Granted it's all theory at this point (and trusting the documentation) and it's not documented on how to do this over a network - that part is pure speculation. What isn't speculation is that this is more an Oracle question than a Perl question and that Oracle has many ways to do this on its own :)	[reply]
Re^10: DBI Password connection to Oracle by waswas-fng (Curate) on Jun 28, 2005 at 19:10 UTC
The perl script is not local and therefor would need to send the user and password -- from the Original Post: I need to connect via some arbitrary machine known to my network either via cgi or back end perl scripts to a oracle DB. anyways I am bored of this thread and shutting down until the OP posts more info. -Waswas	[reply]