tags:

views:

23

answers:

1
+1  Q: 

Maintaining application/system accounts for database access.

(rephrased...)

How do you manage 'application' database accounts that have to follow the same policy as regular login-capable user accounts.

We have many processes in our system that run, unattended all the time, or part of scheduled jobs that need to access the database (Informix). These have been, up until now, nologin/noexpire accounts. We're now required to treat them as normal user accounts and their password to expire normally.

How do you manage/synchronize applications authenticating against the database when the credentials will at some point change?

We could generate a password based on the month, but since work is getting pushed through the system 24/7, that would likely lockout the account for too many failed attempts.

+1  A: 

Two questions:

  1. Are the applications (processes) running on the same machine as IDS?
  2. Are they run by a process with the application account ID, or are they run by some administrative user (such as 'root') and the connection to the database specifies user name and password?

The answers are important because if the process is running on the local machine (the same machine as IDS) and the program is running as the 'application user', then the connection does not require a password at all. So, the expiry/change of the passwords would not affect the database system at all.

If the applications are run on the same machine but are started by 'root', then an option is to modify the code that runs the applications so that where it now does:

run_application

in future it does:

su app_user -c run_application

User 'root', of course, is empowered to run things as other users without bothering with trivial details like passwords. You might have to modify the application to avoid connecting with user name and password, again.

If the applications are not run on the same machines as IDS, the options are trickier. There are ways to achieve this effect; you probably do not want to exercise them. (Contact me offline if you need details. I will need some more details from you, too. See my profile.)

Jonathan Leffler  2010-02-01 19:52:11
We have a mixed environment, some are on the same machine as the IDS instance, some not.
hometoast  2010-02-02 12:08:47

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP