02-28-2013 01:34 AM
We are planning for a centralized authentication for our HP-UX and Linux servers through LDAP using the OID (Oracle Internet Directory) integrated with our Microsoft Active Directory.
To enable this we need to convert our systems to untrusted mode as in trusted mode long usernames are not supported.
We are planning to centralize only the system/DB administrators and operators user-ids and the service accounts used for application installation will remail locally in the individual server.
Want to know if there will be any impact on the applications like Oracle Databases, Oracle Ebusiness suite, Oracle Apps servers etc. installed on these servers?
What will be the overall impact in converting a server from trusted mode to untrusted mode on a production environment?
02-28-2013 01:28 PM
The biggest negative to disabling trusted mode is that your hashed passwords will now be visible in the /etc/passwd file for those accounts you are keeping local.
Since /etc/passwd must be readable by everyone that is a very bad idea. Someone could potentially grab the passwd file, take it home, and start running programs like John The Ripper or Crack or other things to try to discover passwords.
03-01-2013 01:52 AM
How about switching to shadow password mode? That would fix the weakness of having the local password hashes visible in /etc/passwd.
As far as I know, most Oracle products you mentioned would tend to have their own built-in authentication systems, instead of relying on system passwords. So the impact to applications from the trusted -> non-trusted (-> shadow?) transition should be minimal or non-existent.
Just remember that a transition from trusted to non-trusted mode will truncate the stored password hashes so that only the first 8 characters of the stored passwords are retained. So if the user has more than 8 characters in his/her password, there might be some issues. (Usually the non-trusted mode will simply ignore any characters after the 8th when checking a password, but there might be some special snowflake software that insists on exact match. )