Subject Re: authentication issue
Author Bill Karwin
> > What if a user wants different passwords in different
> > applications?
>
> Right, we've seen this request periodically on the InterBase list. For
> instance, I recently read a question from a fellow who wanted SYSDBA to
> have different passwords to access different databases.

As I wrote this, I realized a detail about integrating authentication
schemes to external authentication: what if there is no user SYSDBA in the
external authentication directory?

Here's my proposal for how to handle this, for the sake of discussion:

Each plugin would have to identify one or more user IDs to grant privileges
equal to the traditional SYSDBA user.

So for example, an NIS+ plugin would authenticate your user/password and
then if your username is literally "root" you are flagged as a superuser and
you can do all the things that SYSDBA would be able to do.

For ADS, the plugin would do the same thing for "Administrator" or perhaps
any user in the "Administrators" group. For NDS, a different scheme could
be used.

One could even design an authentication plugin that takes a list of
authorized superuser names (or groups) from the InterBase server
configuration repository. So there would be some way of specifying, "for
Alias 'inventory.gdb', use ADS authentication against the directory server
'msslug.mycompany.com', and the following list of users are authorized as
superusers: ('Administrator', 'Administrateur', 'bkarwin')".

Everywhere in the server code that treats SYSDBA differently would have to
instead test a flag in the current user's authentication data.

The next question is: how does one become authorized with the privilege of
modifying the InterBase configuration repository? :-)

Bill Karwin