We have LDAP authentication at Customer site for users, but also use TD2 connection for internal accounts such as SYSDBA.
When the end user accounts are created, they have a default password assigned as required in the create user statement, but then we grant logon with NULL password to allow for LDAP authenication, i.e. GRANT LOGON ON ALL TO <UserId > WITH NULL PASSWORD ;
An end user could logon with TD2 if the password is known that was assigned in the create user statement. Is there a way to disable TD2 logons for the end users only, allowing them to only logon with their LDAP password ?
There is a way to do this by enabling the strong password profile settings.
Let me know if you need further details.
Do you want all the end users to connect through LDAP only while your internal users (such as SYSDBA) allowed to connect through TD2? Are you trying to find a way to do this at the database server?
If they don't know the password, they can't use TD2 authentication. The issue is that someone could potentially authenticate via LDAP, then change their TD2 password, and they subsequently would be able to use TD2 successfully. But you can set a combination of password controls in the user profile that is impossible to satisfy, which will prevent the users from changing their TD2 password.
Require some combination of upper/lower case letters, digits, special characters but restrict max length to 1.