首先注意如下文档说明:
Operating system authentication takes precedence over password file authentication. If you meet the requirements for operating system authentication, then even if you use a
password file, you will be authenticated by operating system authentication.
On most operating systems, authentication for database administrators involves placing the operating system username of the
database administrator in a special group, generically referred to as OSDBA. Users in that group are granted SYSDBA privileges. A similar group, OSOPER, is used to
grant SYSOPERprivileges to users.
Operating system authentication takes precedence over password file authentication. Specifically, if you are a member of the OSDBA or OSOPER group for the operating system, and you connect as SYSDBA or SYSOPER,you will be connected with associated administrative privileges regardless of the username/passwordthat you specify.If you are not in the OSDBA or OSOPER groups, and you are not in the password file, then attempting to connect as SYSDBA or as SYSOPER fails
其中有一个重要的文件ORAPWD文件,文档说明如果用户属于OSDBA,典型我们建立ORACLE用户的时候一般
都会将其设置为DBA组,这个时候即使没有ORAPWD文件,实际上ORACLE用户也能够登陆到数据库,因为默认
的OSDBA就赋予了SYSDBA权限,而如果一个用户不属于OSDBA(DBA组)的话那么可以使用我们的密码文件
ORAPWD文件进行验证,典型比如远程认证,或者一个不属于DBA组的用户。测试如下:
首先确定你的LISTENER有静态认证。
Service "test" has 1 instance(s).
Instance "ora11g", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
然后关闭数据库srvctl stop database -d ora11g,或者直接SHUTDOWN IMMEDIATE。
这个时候我们通过远程使用ORAPWD认证
SQL> connect sys/gelc123@ora11g as sysdba
Connected to an idle instance.
如果我们删除ORAOWD文件如何?
[oracle@tasm dbs]$ mv orapwora11g orapwora11gbak
再次连接
SQL> connect sys/gelc123@ora11g as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
同理我们建立一个非DBA组用户
useradd lll
su - lll
连接
[lll@tasm ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Tue Apr 15 09:07:44 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
显然此用户不属于DBA组不能使用操作系统认证,如果我们尝试使用ORAPWD文件认证如何?
[lll@tasm ~]$ sqlplus sys/gelc123 as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Tue Apr 15 09:10:43 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
同样不行,因为我们刚刚MV了ORAPWD文件,如果我们恢复如何?
[root@tasm ~]# su - lll
[lll@tasm ~]$ sqlplus sys/gelc123 as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Tue Apr 15 09:10:07 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to an idle instance.
SQL> exit
可见可以连接,这个用户虽然不属于DBA组但是ORAPWD是可以认证的。
最后如果建立一个DBA用户当然是可以连接的,因为他属于DBA组自然就有SYSDBA权限。
[kkk@tasm ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Tue Apr 15 09:13:11 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to an idle instance.
SQL>
所以总结一下:
1、操作系统认证通过操作系统组的方式实现。
2、如果没有属于DBA组,可以使用ORAPWD文件进行认证。
3、如果一个用户在ORAPWD文件中和DBA组,那么操作系统认证优先。
4、注意remote_login_passwordfile的设置 见http://blog.itpub.net/7728585/viewspace-1262106/。
5、任何以AS SYSDBA权限登陆的用户均为SYSDBA权限用户
6、如果用户不在DBA组和ORAPWD文件中AS SYSDBA登陆将会报错。
