Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

RAD/SSO password syncronization for Forms on an OID registered database

Phil McDermottDec 13 2005 — edited Apr 20 2006
We have 10g Rel 2 App Server and a 10g database registered with OID, so that no passwords are stored on the database as such. While users exist on the database they are "identified globally", and thus have to exist as a valid SSO user, with the SSO password used to authenticate them to the database. This works with SQL-Plus. With Forms/Reports, however, it still requires a RAD with a username,password, and database (tnsnames) specified. We create the user on the database with the same username as the SSO username. We allow the users to create their own RAD by allowing DynamicResourceCreate in the formsweb.cfg file.

A new user is setup using OIDDAS and the initial password is set to 'changeit'. The password policy in OID is set to force the user to change the password on next login. We then create a database user with the same name identified globally. We then send the user the URL to the App Server with instructions to change the password from 'changeit' to a password of their choosing. When they complete the password change and authenticate in SSO, they may or may not have to download jinitiator, and then the Create Rad Screen appears where they enter their username, password (their newly chosen SSO Password) and a database (i.e. prod). They are then allowed into forms with the initial screen specified in the config section of formsweb.cfg.

Now, if a user forgets a password, we would go into OIDDAS, set the password to 'changeit' and delete the rad. This allows the user to basically replicate the new user procedure described above.

We are worried about password expiration in OID, in that the user will be asked to choose a new SSO password, but the RAD password would
continue to be set to the old SSO Password. I think the easiest way to handle this now, is to turn password expiration off, and wait for Forms 11, which is supposedly going to have proxy authentication, but assuming that won't pass muster with management, is there a way using DBMS_LDAP, or something similar, to access the SSO password, and then set the RAD password to that when a password expiration occurs?

Thanks in advance.

Phil McDermott
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 18 2006
Added on Dec 13 2005
#identity-management, #identity-manager
7 comments
1,633 views