Which authentication method would be used first?

In your database, the LDAP_DIRECTORY_SYSAUTH initialization parameter has been set
to YES and the users who need to access the database as DBAs have been granted
SYSDBA enterprise role in Oracle Internet Directory (OID). SSL and the password file have
been configured. A user SCOTT with the SYSDBA privilege tries to connect to the database
instance from a remote machine using the command:
$ SQLPLUS scott/tiger@DB01 AS SYSDBA
Which DB01 is the net service name.
Which authentication method would be used first?

In your database, the LDAP_DIRECTORY_SYSAUTH initialization parameter has been set
to YES and the users who need to access the database as DBAs have been granted
SYSDBA enterprise role in Oracle Internet Directory (OID). SSL and the password file have
been configured. A user SCOTT with the SYSDBA privilege tries to connect to the database
instance from a remote machine using the command:
$ SQLPLUS scott/tiger@DB01 AS SYSDBA
Which DB01 is the net service name.
Which authentication method would be used first?

A.
authentication by password file

B.
authentication by using certificates over SSL

C.
authentication by using the Oracle Internet Directory

D.
authentication by using the local OS of the database server

← Previous question

Next question →

Leave a Reply 5

noe

D is wrong because that would need the connect string to be like
sqlplus / as sysdba

Next method in the priority order is password file

pan

If the database is configured to use a password file for remote authentication, Oracle Database checks the password file first before OID. Answer A looks to be correct.

spellblind

In order to use OID the parameter LDAP_DIRECTORY_ACCESS must be set to PASSWORD or SSL.

If you intend to use any of these strong authentication methods the initialization parameter LDAP_DIRECTORY_SYSAUTH must be set to YES. Its default is NO.

Eamon

Here is my interpretation ….

Connections with sysdba or sysoper privileges must always be authenticated. This is possible through
– OS authentication (i.e.) by assigning the appropriate OS group to the OS user.
– a password file.

If there is concern that the password file might be (is) vulnerable the(se) following strong authentication methods can be used with Oracle database 11g: If you intend to use any of these strong authentication methods (set) the initialization parameter LDAP_DIRECTORY_SYSAUTH must be set to YES. Its default is NO.

– Oracle Internet Directory (OID) grants for sysdba and sysoper to use this LDAP_DIRECTORY_ACCESS init must (also) be set to PASSWORD or SSL.
– Kerberos ticket server
– Secure Socket Layer (SSL) certificates (however SSL also requires a configuration of OID (Oracle Internet Directory))

As “spellblind” mentioned in his post …
In order to use OID the parameter LDAP_DIRECTORY_ACCESS must be set to PASSWORD or SSL.
i.e. C is wrong
As already mentioned SSL also requires OID, even though it says above SSL files have been configured (somewhat ambiguous)
i.e. B is wrong

As “noe” mentioned in his post …
D is wrong because that would need the connect string to be like
sqlplus / as sysdba
Next method in the priority order is password file
i.e. D is wrong

That just leaves A. If look carefully at
https://docs.oracle.com/cd/E11882_01/network.112/e36292/authentication.htm#DBSEG003
you will see a piece of text in the section ….

Configuring Directory Authentication for Administrative Users

that says …

If the database is configured to use a password file for remote authentication, Oracle Database checks the password file first.

hmmmm still somewhat confused!!!
I think that this question is somewhat ambiguous

Eamon

After further consideration just look at
https://docs.oracle.com/cd/E11882_01/network.112/e36292/authentication.htm#DBSEG003

where you can see ….

Configuring Directory Authentication for Administrative Users
To configure directory authentication for administrative users:

Configure the administrative user by using the same procedures you would use to configure a typical user.

In Oracle Internet Directory, grant the SYSDBA or SYSOPER privilege to the user for the database that this user will administer.

Grant SYSDBA or SYSOPER only to trusted users. See “Guidelines for Securing User Accounts and Privileges” for advice on this topic.

Set the LDAP_DIRECTORY_SYSAUTH initialization parameter to YES:

ALTER SYSTEM SET LDAP_DIRECTORY_SYSAUTH = YES;
When set to YES, the LDAP_DIRECTORY_SYSAUTH parameter enables SYSDBA and SYSOPER users to authenticate to the database by using a strong authentication method.

See Oracle Database Reference for more information about LDAP_DIRECTORY_SYSAUTH.

Set the LDAP_DIRECTORY_ACCESS parameter to either PASSWORD or SSL. For example:

ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS = PASSWORD;
Ensure that the LDAP_DIRECTORY_ACCESS initialization parameter is not set to NONE. Setting this parameter to PASSWORD or SSL ensures that users can be authenticated using the SYSDBA or SYSOPER privileges through Oracle Internet Directory. See Oracle Database Reference for more information about LDAP_DIRECTORY_ACCESS.

Afterward, this user can log in by including the net service name in the CONNECT statement in SQL*Plus. For example, to log on as SYSDBA if the net service name is orcl:

CONNECT SOMEUSER@ORCL AS SYSDBA
Enter password: password
If the database is configured to use a password file for remote authentication, Oracle Database checks the password file first.