Default role with password - reality check
I support the database for an application. We upgraded from Oracle10 to Oracle11 9 months ago. Then recently we applied the OCT CPU.
The application admin says that they have a program that has recently stopped working that worked after the Oracle11 upgrade.
The application user has a default role which has a password. Is that possible? A default role with a password. Would this have ever worked in any version of Oracle?
Default role with password is a feature even available with Oracle XE. Default roles are activated without requiring role password in Oracle 10.2:
SQL> drop user admin cascade;
User dropped.
SQL> drop user test cascade;
User dropped.
SQL> drop role rwp;
Role dropped.
SQL> select * from v$version;
BANNER
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
SQL>
SQL> create user admin identified by oraclexe;
User created.
SQL> grant create session, create table to admin;
Grant succeeded.
SQL> grant unlimited tablespace to admin;
Grant succeeded.
SQL> grant create user to admin;
Grant succeeded.
SQL> grant create role to admin;
Grant succeeded.
SQL>
SQL> create user test identified by oraclexe;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL>
SQL> connect admin/oraclexe;
Connected.
SQL> create table t(x varchar2(10));
Table created.
SQL> insert into t values('admin OK');
1 row created.
SQL> commit;
Commit complete.
SQL> create role rwp identified by oraclexe;
Role created.
SQL> grant all on t to rwp;
Grant succeeded.
SQL> grant rwp to test;
Grant succeeded.
SQL>
SQL> connect test/oraclexe;
Connected.
SQL> select * from session_roles;
ROLE
RWP
SQL> select * from admin.t;
X
admin OK
SQL> insert into admin.t values('test OK');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from admin.t;
X
admin OK
test OK
SQL>There have been changes between Oracle 10.2 and 11.2 because the same script fails in 11.2 unless the role is set with the password:
SQL> drop user admin cascade;
User dropped.
SQL> drop user test cascade;
User dropped.
SQL> drop role rwp;
Role dropped.
SQL> select * from v$version;
BANNER
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
SQL>
SQL> create user admin identified by oraclexe;
User created.
SQL> grant create session, create table to admin;
Grant succeeded.
SQL> grant unlimited tablespace to admin;
Grant succeeded.
SQL> grant create user to admin;
Grant succeeded.
SQL> grant create role to admin;
Grant succeeded.
SQL>
SQL> create user test identified by oraclexe;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL>
SQL> connect admin/oraclexe;
Connected.
SQL> create table t(x varchar2(10));
Table created.
SQL> insert into t values('admin OK');
1 row created.
SQL> commit;
Commit complete.
SQL> create role rwp identified by oraclexe;
Role created.
SQL> grant all on t to rwp;
Grant succeeded.
SQL> grant rwp to test;
Grant succeeded.
SQL>
SQL> connect test/oraclexe;
Connected.
SQL> select * from session_roles;
no rows selected
SQL> select * from admin.t;
select * from admin.t
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> insert into admin.t values('test OK');
insert into admin.t values('test OK')
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> commit;
Commit complete.
SQL> select * from admin.t;
select * from admin.t
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
SQL> set role rwp identified by oraclexe;
Role set.
SQL> select * from session_roles;
ROLE
RWP
SQL> select * from admin.t;
X
admin OK
SQL> insert into admin.t values('test OK');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from admin.t;
X
admin OK
test OK
SQL>10.2 Security Guide says:
If you are granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in a SET ROLE statement. However, if the role is made a default role and enabled at connect time, then the user is not required to enter a password.
11.1 and 11.2 Secuirty Guide says:
If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.
Edited by: P. Forstmann on 20 févr. 2010 10:28
Similar Messages
-
How can i to set role with password from a package ?
the package dbms_session.set_role can set the password ?
regards
MDFCheck this out.
http://download-west.oracle.com/docs/cd/B14117_01/server.101/b10759/statements_10004.htm#sthref7302 -
Default role with membership login
I am creating a new instance of our portal. Right now, I have the login set to membership. If I create a new user, I get a serious desktop error. (error below)
I noticed when I go into the admin this new user has no role assigned. How do I set it up so the user would get the look from default?
09/17/2003 09:06:51:387 AM EDT: Thread[Thread-185,5,main]
ERROR: JspRequestDispatcher:
javax.servlet.ServletException: Problem processing JSP: /header.jsp
at com.sun.portal.providers.jsp.JspRequestDispatcher.getJspResource(JspRequestDispatcher.ja
a:164)
at com.sun.portal.providers.jsp.JspRequestDispatcher.include(JspRequestDispatcher.java:97)
at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:408)
at jsps.etc._opt._SUNWps._desktop._iConnect._default_en_US._JSPTabContainer._html._tab_js
._jspService(_tab_jsp.java:85)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sun.portal.providers.jsp.JspServletWrapper.service(JspServletWrapper.java:182)
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:692)
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
ainerProvider.java:535)
at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
ontext.java:367)
at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
:897)
at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)
09/17/2003 09:06:51:402 AM EDT: Thread[Thread-185,5,main]
ERROR: DesktopServlet.handleException()
com.sun.portal.providers.ProviderException: JSPProvider.processJSPFile(): jsp=tab.jsp, java.lang.In
exOutOfBoundsException: Index: 0, Size: 0
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:709)
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
ainerProvider.java:535)
at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
ontext.java:367)
at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
:897)
at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:486)
at java.util.ArrayList.get(ArrayList.java:302)
at com.sun.portal.desktop.util.SmartList.get(SmartList.java:132)
at com.sun.portal.providers.containers.jsp.tab.util.TabData.getSelectedTabName(TabData.java
157)
at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getSelectedTabName(J
PTabContainerProvider.java:344)
at com.sun.portal.desktop.taglib.container.tab.GetSelectedTabNameTag.doStartTag(GetSelected
abNameTag.java:21)
at jsps.etc._opt._SUNWps._desktop._iConnect._default_en_US._JSPTabContainer._html._tab_js
._jspService(_tab_jsp.java:130)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sun.portal.providers.jsp.JspServletWrapper.service(JspServletWrapper.java:182)
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:692)
at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
ainerProvider.java:535)
at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
ontext.java:367)
at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
:897)
at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)It seems like "serious desktop error" is actually
caused by header.jsp and has nothing to do
with the fact that user has no roles assigned
(which is the "default" role for new portal user)
Cheers,
Alex :-) -
Creation of BP with default role
Hi ,
I have a requiement where in I want a Business Partner to be created with a default role ,i.e CRM006. I can do this in GUI with the help of authorizations.
But the same does not work in PCUI.
My requirement is whenever a user creates a Business Partner, Role CRM006 automatically gets assigned to it.
please sugest something.
Help will be apreciated.
Regards
Sourabh VermaHi PREMKUMAR LNS,
you can easily implement BADI: BADI_CRM_BP_UIU_DEFAULTS
IF_UIU_BP_DEFAULTS~GET_DEFAULT_VALUES
and write something like this:
assign cr_me->('TYPED_CONTEXT') to <typed_context>.
if sy-subrc = 0.
lr_typed_context ?= <typed_context>.
if lr_typed_context is bound.
assign lr_typed_context->('HEADER') to <context_node>.
if sy-subrc = 0.
try.
lr_node ?= <context_node>.
catch cx_sy_move_cast_error. "EC_NOHANDLER
endtry.
if lr_node is bound.
lr_coll_wrapper ?= lr_node->collection_wrapper.
if lr_coll_wrapper is bound.
try.
lr_current ?= lr_coll_wrapper->get_current( ).
check lr_current is bound.
controllo la tipologia di account
zbp_category = lr_current->get_property_as_string( 'BP_CATEGORY' ).
zbp_group = lr_current->get_property_as_string( 'BP_GROUP' ).
if zbp_category = '1'.
elseif zbp_category = '2'.
Set default role at creation to "Relation"
break domino.
zobp_category = lr_current->get_property_as_string( 'BP_ROLE' ).
if zobp_category is initial.
Here you are setting the default role
lr_current->set_property( iv_attr_name = 'BP_ROLE'
iv_value = 'BUP002' ).
endif.
else.
endif.
catch cx_sy_move_cast_error.
endtry.
endif.
endif.
endif.
endif.
endif. -
Hi, I having trouble trying to connect to the wifi, I know the passwords and checked with others divises but with the mac os x 10.7.5 mac os x lion is not working
One of the wifi connections said "time out" or did not recongnise the passwordHi andrea122,
Thanks for visiting Apple Support Communities.
If you're not able to connect to Wi-Fi on your iMac, the troubleshooting steps in this article can help:
Wi-Fi: How to troubleshoot Wi-Fi connectivity
http://support.apple.com/kb/HT4628
Regards,
Jeremy -
User Default Mappings attribute "role" with condition "OR"
Hello,
we are using GRC 5.3 SP 8.1.
User default mappings with more than one "role" attribute and the condition "OR" don't seem to work. After provisioning no user parameters have changed in backend system. When I configure only one "role" with the condition "AND" everything works fine, request types are the same.
Any suggestions?
Thanks,
ManuelHallo Sirish,
thanks for this helpful answer.
In the note it says: "After upgrade from 5.2 to 5.3 SP08.1, the user defaults were not provisioned."
So this error only occurs when upgraded from 5.2 to 5.3 SP8.1 or is it a gnerally bug in SP 8.1?
I configured some new conditions in our test system and it worked. So in my opinion only the old configured user default mappings don't work because of the upgrade (???). I'm a little bit confused...
Regards,
Manuel Kunkel -
Log in with default username and password
Is there a way to create a pdf so that it automatically logs in with a default username and password so that the user is not prompted upon opening?
No, there is no way set a default user name and password, but as an alternative you can set your policy to be "Anonymous Access", meaning that there is no authentication (of the user) required to open the document, but you can still control (i.e. prevent printing) what the "anonymous" user can do to\with the document.
Regards
Steve -
Content area should be a white area/page with the first/default role
Hi All,
Pealse help me
When user logs in to the Portal, content area should be a white area/page with the first/default role
Thanks,
Jyothi.hi,
simple way, create a static HTML page with your company logo (or empty page) and upload to KM, assign it to existing Home role as a KM document iview that loads first.(make entry point - yes).
assign the role to everyone group with property -sort priority 10 for role (low compared to all other roles)
regards,
mahesh. -
Reality check -Help with MBP 13' purchase
Hello guys,
I live in a country without Apple store, all information I get is from the Internet.Hopefully someone could help me. I would like to know if it is worth buying 2011 13' macbook pro I need reality check. I'm a photographer and I use Aperture and CS5 photoshop every day. Will it work smoothly on MBP 13' 2011 ??
- I have 2006 15' MBP works very well, but a bug crawled into my LCD, and bugger died there nicely in the middle.
I would like to have, good future proof machine that would last another 5 years.
Core i5 or I7? I can not afford large ssd ( I need min. 500GB ssd ). In many forums, people talk about redesign in late 2011 ..etc.
Which model should i buy?I surprised nobody answered you yet. If your main goal is working with photography or photos, you should get the Macbook Pro 15" 2011 i7 model. The 13" MBP has a really low screen resolution compared to all other laptops these days 1200x800. The 15" model is 1440x900 in the stock configuration. The 13" does not have enough real estate on the screen to be useful for photo editing. Also, it lacks a discrete graphics card. You must rely solely on the Intel HD 3000 internal graphics.
If you get either 15" model, the cheaper one has an AMD HD 6490m discrete card and the high end model has the AMD HD 6750m. You can still use the Intel HD 3000 to save battery life, but the 15" models give you more pixels on the screen and much better graphics processing.
The new Intel HD 3000 is not bad, it is "good enough"... but "good enough" for now will be out of date "sooner than later". The 15 inch models provide much more flexibility and are much more future proof. I owned the original Core Duo Macbook in 2006 and it had the same 1280x800 resolution 5 years ago. It was never enough for serious work.
Also you could consider the 2011 Macbook Air if you only care about price and don't want the discrete graphics card. There is a 13" model with 1440x900 resolution and it has the option for i7 and comes standard with a 128GB or 256GB SSD on the top model. All models except the lowest end have 4GB of RAM standard too. -
How do I stop my mail from send out my e-mails with the mobile me acct instead of my default provider? I have checked the "use only this server" in my provider account.
There is no such option/setting on an iPhone to determine this. Whether you can view the attachment has more to do with your connection, WiFi or cellular, and the size of the attachment than anything else. There will be a paperclip indicating the message includes an attachment regardless if downloaded with the message or not. When connected to the cellular network, if an attachment is below a designated size the attachment will be downloaded automatically. If over a certain size, you must select the attached file icon in the body of the message to download the attachment. The size limit varies by carrier/provider.
Tell her you're gonna leave her out of the Will if she doesn't stop . -
How do I enable default failure audit and password policy checking?
Hi,
I am trying to install DPM 2012 R2, and on the requirements for SQL is : Use the following SQL Server settings:
default failure audit, and enable password policy checking
I have tried looking for them, but I can't find them.
How do I apply these settings?
Thanks .Hi,
I am trying to install DPM 2012 R2, and on the requirements for SQL is : Use the following SQL Server settings:
default failure audit, and enable password policy checking
I have tried looking for them, but I can't find them.
How do I apply these settings?
Thanks .
Simple way to enable login default failure audit is Right Click On SQL server instance in SQL Server management studio and select Properties then below page will occur. There are 2 options in Login auditing select appropriate one
for enabling policy please refer below links
Enforce windows password policy on SQL Server logins
Password Policy FAQ
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
My TechNet Wiki Articles -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
When we perform this code :
alter user smith default role r1,r2;
Does this mean the only enabled role for smith are r1 and r2,if yes how about the others including the ones with passwords ? are they disabled now if yes do we have to use set role to enabled them ?
I'm a little bit confused .Any help would be thankful.Check the following link.
http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec01.htm#1005730 -
Connect to remote jmx with password
Hello,
now I�ve a problem to connect a remote jmx server with passord authentification. No idea why it does not work, here my configuration:
jmxremote.password:
================
# or specify another, less accessible file in the management config file
# as described above.
# Following are two commented-out entries. The "measureRole" role has
# password "QED". The "controlRole" role has password "R&D".
test test1
jmxremote.access
================
# Default access control entries:
# o The "monitorRole" role has readonly access.
# o The "controlRole" role has readwrite access.
test readwrite
This are my sys parameter:
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.port=9004"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl=false"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.access.file=/home/tomcat/jmxremote.access"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.password.file=/home/tomcat/jmxremote.password"
The .access and .password file is on the correct place and there is no exception because of the file access rights. If I start the remote jconsole with -J-Djava.security.debug=all, this is the end:
jar:
jar: beginEntry com/sun/crypto/provider/SunJCE_i.class
jar: Manifest Entry: com/sun/crypto/provider/SunJCE_i.class digest=SHA1
jar: manifest d462e6ef45ec12081028cd7ccf922cc2ec553358
jar: computed d462e6ef45ec12081028cd7ccf922cc2ec553358
jar:
Cipher: Crypto Permission check failed
Cipher: granted: (CryptoPermission * 128)
Cipher: requesting: (CryptoPermission AES 256)
I�ve found already a solution for that and connect with jconsole with the url service:jmx:rmi:///jndi/rmi://hostname:9004/jmxconsole
Provider: Set SUN provider property [SecureRandom.SHA1PRNG ImplementedIn/Software]
Provider: Set SUN provider property [CertificateFactory.X.509 ImplementedIn/Software]
Provider: Set SUN provider property [KeyStore.JKS ImplementedIn/Software]
Provider: Set SUN provider property [CertPathValidator.PKIX ImplementedIn/Software]
Provider: Set SUN provider property [CertPathBuilder.PKIX ImplementedIn/Software]
Provider: Set SUN provider property [CertStore.LDAP ImplementedIn/Software]
Provider: Set SUN provider property [CertStore.Collection ImplementedIn/Software]
Provider: Set SUN provider property [CertStore.com.sun.security.IndexedCollection ImplementedIn/Software]
ProviderConfig: Loaded provider SUN version 1.6
Although there is no exception I am unable to connect to the remote jmx server...
Thx for any help!
Cheers,
Thilko
Edited by: smilie79 on Jan 17, 2008 1:53 AM
Edited by: smilie79 on Jan 21, 2008 2:51 AMHi,
You might need to specify explicitely -Dcom.sun.management.jmxremote.authenticate=true on the command line.
Hope this helps,
-- daniel
http://blogs.sun.com/jmxetc -
I swich to Oracle11g express and create user
CREATE USER LEO
IDENTIFIED BY xy
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for LEO
GRANT AUTHENTICATEDUSER TO LEO;
GRANT CONNECT TO LEO;
GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
ALTER USER LEO DEFAULT ROLE FER_ADMIN;
-- 1 System Privilege for LEO
GRANT CREATE SESSION TO LEO;
-- 1 Tablespace Quota for LEO
ALTER USER LEO QUOTA UNLIMITED ON USERS;
and after login i check
select * from SESSION_ROLES
and i have none role
if I set role all works fine.
Why I doesn't have DEFAULT ROLE after login.
Pleas for help .here is the solution
default roles and grants
Edited by: Leo Lakota on 4.10.2012 5:52
Maybe you are looking for
-
Itunes completely messed up...
i tried searching through threads to find this but no luck, so hopefully somewhere can answer or help me here. im having a MESS load of problems with my itunes since i reformatted my computer. i reinstalled the newest version many times, updated my i
-
how do i print envelopes using an existing excel spreadsheet?
-
How can I delete history and cookies without opening safari?
seems like I may have virus, a website keeps popping up and says I may have an infection and I am to call a number. If I close safari, when I reopen it that same website automatically opens up. I can't get to the menu to delete cookies or history as
-
Creating and ordering different cards in one go.
I want to order 4 Xmas cards, each with a different photo.( Made in PS) Aparently I have to create one by one, than order and pay transport for each one. Can one not order the 4 different cards together, and only pay once for transportation?
-
Just updated to iOS 8, iMessage and FaceTime not activating?
I own an iPhone 4s and recently updated my phone to iOS 8. Before, I was able to freely iMessage and FaceTime people without any problems. After updating, I am now not able to activate my iMessage or FaceTime at all. When turning on the iMessage, it