Oracle username 集成 AD

• connect c##acct_admin
  alter session set container=XXX;
  alter user XXX identified globally as 'cn=xx,ou=XXX,ou=ORAC,ou=XXX,ou=XXX Users,dc=XX,dc=XX,dc=cn';

select username, external_name, account_status, lock_date, expiry_date, profile, last_login, password_change_date from dba_users where username='XX';

alter user XXX account unlock;

alter user XXX identified by XXX###;

由AD 登录的用户改为password 登录时需要执行这个，否则password不能正常登录

alter user XXX EXPIRE PASSWORD ROLLOVER PERIOD;

• The GLOBALLY clause is used when the authentication is done by a external service, like Oracle Internet Directory. (AD)
  GLOBALLY Clause

  The GLOBALLY clause lets you create a global user. Such a user must be authorized by the enterprise directory service (Oracle Internet Directory).

  The <span class="codeinlineitalic">directory_DN</span> string can take one of two forms:

  • The X.509 name at the enterprise directory service that identifies this user. It should be of the form CN=``<span class="codeinlineitalic">username,other_attributes</span>, where <span class="codeinlineitalic">other_attributes</span> is the rest of the user's distinguished name (DN) in the directory. This form creates a private global schema.

  • A null string (' ') indicating that the enterprise directory service will map authenticated global users to this database schema with the appropriate roles. This form is the same as specifying the GLOBALLY keyword alone and creates a shared global schema.

  The maximum length of <span class="codeinlineitalic">directory_DN</span> is 1024 characters.

  You can control the ability of an application server to connect as the specified user and to activate that user's roles using the ALTER USER statement.

Creating a Global User Example:

Creating a Global Database User: Example The following example creates a global user. When you create a global user, you can specify the X.509 name that identifies this user at the enterprise directory server:

CREATE USER global_user
   IDENTIFIED GLOBALLY AS 'CN=analyst, OU=division1, O=oracle, C=US'
   DEFAULT TABLESPACE example
   QUOTA 5M ON example;

· Scott is authenticated by SSL and authorized by the enterprise directory service.

·The AS clause provides a string identifier (distinguished name -- DN) to the enterprise directory.

· Disadvantage: Scott must have a user account created in every database to be accessed as well as in the directory service.

Summary

Create user from dynamic SQL EXECUTE IMMEDIATE CREATE USER IDENTIFIED GLOBALLY failing:

Trying to execute a simple "create user ... IDENTIFIED GLOBALLY as '' from dynamic SQL.

declare

cn VARCHAR2(1000):='CN=user1,OU=Laptop Users,OU=Active Accounts,DC=int,DC=us,DC=oracle,DC=com';

begin

execute immediate 'create user USER1 IDENTIFIED GLOBALLY as '||CHR(34)||cn||CHR(34)||' ;';

end;

declare

*

ERROR at line 1:

ORA-00972: identifier is too long

ORA-06512: at line 4

or

*

11.2.0.4 DB Error:

ERROR at line 1:

ORA-00911: invalid character

ORA-06512: at line 4

or

12.1.0.2 DB Error:

ERROR at line 1:

ORA-00922: missing or invalid option

ORA-06512: at line 4

Solution

Do not use ';' in the sql statement executed thru execute immediate command.

declare

cn VARCHAR2(1000):='CN=user1,OU=Laptop Users,OU=Active Accounts,DC=int,DC=us,DC=oracle,DC=com';

begin

execute immediate 'create user USER1 IDENTIFIED GLOBALLY as '||CHR(34)||cn||CHR(34);

end;