Yesterday I was shocked to find a note on metalink that recommends a huge security hole using a deprecated Parameter
2042219.1 : create user c##oracle identified externally + set remote_os_authent=true
This is extremly sad. It is such a non-sense to recommend such a flaw. It makes me really angry 👿
Okay, for my readers I engineered a different approach
First let’s create a common user on the CDB
alter system set os_authent_prefix='C##' scope=spfile;
create user c##user01 identified externally container=all;
Now, let’s create a proxy user for connecting to your pdb
create user c##pdb01 identified by *** container=all;
alter user c##pdb01 grant connect through c##user01 container=all;
Grant some privs
grant create trigger, alter session, create session to c##pdb01 container=all;
alter session set container=pdb01;
grant set container to c##pdb01 container=current;
grant set container to c##user01 container=current;
Grant additional privs if wished
alter session set container=pdb01;
grant create dimension to c##pdb01 container=current;
Create a logon trigger to switch to the right pluggable
create or replace trigger c##pdb01.tr
after logon on c##pdb01.schema
begin
execute immediate 'alter session set container=pdb01';
end;
/
Now you can, for your user user01, connect to the database pdb01 using OS authentication
sqlplus "[C##PDB01]"
SQL> select sys_context('USERENV','DB_NAME') DB_NAME from dual;
DB_NAME
--------------
PDB01