Proxy user connection
A proxy connection allows you to connect to a database as one user account and operate with the access and privileges of a different account.
It is typically used to share one database account that has required privileges to other database users without sharing its password. An example of this type of account sharing means that you can allow help desk support personnel to connect to the database using a "helpdesk" account that has correct roles and privileges without sharing the password for this account with them.
There are two terms you need to know when setting up the proxy connection—proxy user and client user.
...
create user proxyuser_test identified by proxypasswordto create a database user accountAnchor _Hlk41552211 _Hlk41552211 grant create session to proxyuser_testto grant the permissions to create sessionalter user daticaltest grant connect through proxyuser_testto enable the client user, which is daticaltest account, to connect to the database using the proxy account.
...
| Code Block |
|---|
SQLNET.KERBEROS5_CC_NAME=/tmp/kerbache SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE,KERBEROS5) SQLNET.KERBEROS5_CONF=/tmp/kerberos/krb5.conf TRACE_LEVEL_CLIENT=16 SQLNET.KERBEROS5_CONF_MIT = TRUE NAMES.DIRECTORY_PATH=(TNSNAMES) |
NOTE: WINDOWS use following services in sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
3. Example krb5.conf file
| Code Block |
|---|
[libdefaults]
default_realm = TEST.DATICAL.NET
default_ccache_name = /tmp/kerbcache
[realms]
TEST.DATICAL.NET = {
kdc = test.datical.net
admin_server = test.datical.net
}
[domain_realm]
.test.datical.net = TEST.DATICAL.NET
test.datical.net = TEST.DATICAL.NET |
...
| Code Block |
|---|
kinit <ADusername>@TEST.DATICAL.NET example: kinit jnew@TEST.DATICAL.NET |
NOTE: For dblinks, you will need forwardable ticket, so use kinit -f instead.
5. Set up a proxy connection with Kerberos
...