Pluggable and externally identified users without using remote authentication

Yesterday I was shocked to find a note on metalink that recommends a huge security hole using a deprecated Parameter

2042219.1 : create user c##oracle identified externally + set remote_os_authent=true

This is extremly sad. It is such a non-sense to recommend such a flaw. It makes me really angry 👿

Okay, for my readers I engineered a different approach

First let’s create a common user on the CDB
alter system set os_authent_prefix='C##' scope=spfile;
create user c##user01 identified externally container=all;

Now, let’s create a proxy user for connecting to your pdb
create user c##pdb01 identified by *** container=all;
alter user c##pdb01 grant connect through c##user01 container=all;

Grant some privs
grant create trigger, alter session, create session to c##pdb01 container=all;
alter session set container=pdb01;
grant set container to c##pdb01 container=current;
grant set container to c##user01 container=current;

Grant additional privs if wished
alter session set container=pdb01;
grant create dimension to c##pdb01 container=current;

Create a logon trigger to switch to the right pluggable
create or replace trigger c##pdb01.tr
after logon on c##pdb01.schema
begin
execute immediate 'alter session set container=pdb01';
end;
/

Now you can, for your user user01, connect to the database pdb01 using OS authentication

sqlplus "[C##PDB01]"
SQL> select sys_context('USERENV','DB_NAME') DB_NAME from dual;

DB_NAME
--------------
PDB01

By Laurent Schneider

Oracle Certified Master

Leave a comment

Your email address will not be published.