| Subject | RE: [IB-Architect] Re: SQL names for user and role |
|---|---|
| Author | Larry Carter |
| Post date | 2001-04-25T20:43:05Z |
Sure,
Just a quick set of basics for those who don't
know. Also, keep in mind that I am little more than a
beginner with Directory Services, so if any one knows
more or see's an error, please speak up.
The whole concept of Directory Services (however
they are implemented) is to provide a centralized
authority for all the "things" in your network. The
directory is exactly what it sounds like, a directory
that holds information. It is hieracle in nature and
can contain *any* info you want because the schema is
extendable. The X.500 standard is the foundation for
all commercial and open DS implementations as far as I
know.
The simplest example is basic authentication
(though DS goes way beyond this capability). Right
now for example lets say you have an OS called OLD_OS
that is running a database called OLD_DB. Let us
assume that OLD_OS does not have a DS implementation
therefore, it maintains a standard access control list
(i.e. like /etc/passwd). The database in turn has its
own ACL for users to access it including all their
access info levels etc.
Now, enter NEW_OS that has an X.500 based DS and
NEW_DB that is DS aware. Now instead of maintining
two seperate ACL's (really, directories), you have
just one that is centric to the OS. When the DB is
installed it extends the schema to include all the DB
access settings that would be available. Now, the
Admin goes to the Directory with one admin tool and
can deal with all aspects of the users account
including their DB access.
This is a rather simplistic example, but it is
sufficient for our purposes. Extending the schema is
optional. MS SQL Server still maintains securitly
levels on objects locally, but it gets authentication
information via the users login to the domain (i.e.
Active Diretory).
This is nothing really special, and can be done
without a DS (I believe IB/FB actually does do this
now on UNIX does it not). But the really good stuff
happens when we look at doing a schema extension
including admin extension tools. On ADS, this is
provided via MMC snap-ins. Other OS's I am not really
sure about though I am starting to learn about their
DS implementations. I have OpenLDAP installed on one
of Linux boxes and I just installed Netware 5 on
another system yesterday to get familiar with NDS.
And again, AFAIK, these are all based on X.500/LDAP
which is a pretty straight forward spec (at least the
basic LDAP level which is what everyone writes to).
Have no doubt that this is a fair amount of work and
I do not suggest it just off hand or with any
expectations. As a matter of fact, I will volunteer
right now to pick up the gauntlet on this one! It
will take me awhile to get up to speed with even how
the current IB/FB security system works especially
since I really don't like C and am not real good at
it. Since I have not yet been commited to anyting
specific on FB perhaps this would be a good place???
I welcome comments! Ann, Jim, Helen, Jason, etc.???
Larry
--- "Leyne, Sean" <InterbaseArchitecture@...>
wrote:
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
Just a quick set of basics for those who don't
know. Also, keep in mind that I am little more than a
beginner with Directory Services, so if any one knows
more or see's an error, please speak up.
The whole concept of Directory Services (however
they are implemented) is to provide a centralized
authority for all the "things" in your network. The
directory is exactly what it sounds like, a directory
that holds information. It is hieracle in nature and
can contain *any* info you want because the schema is
extendable. The X.500 standard is the foundation for
all commercial and open DS implementations as far as I
know.
The simplest example is basic authentication
(though DS goes way beyond this capability). Right
now for example lets say you have an OS called OLD_OS
that is running a database called OLD_DB. Let us
assume that OLD_OS does not have a DS implementation
therefore, it maintains a standard access control list
(i.e. like /etc/passwd). The database in turn has its
own ACL for users to access it including all their
access info levels etc.
Now, enter NEW_OS that has an X.500 based DS and
NEW_DB that is DS aware. Now instead of maintining
two seperate ACL's (really, directories), you have
just one that is centric to the OS. When the DB is
installed it extends the schema to include all the DB
access settings that would be available. Now, the
Admin goes to the Directory with one admin tool and
can deal with all aspects of the users account
including their DB access.
This is a rather simplistic example, but it is
sufficient for our purposes. Extending the schema is
optional. MS SQL Server still maintains securitly
levels on objects locally, but it gets authentication
information via the users login to the domain (i.e.
Active Diretory).
This is nothing really special, and can be done
without a DS (I believe IB/FB actually does do this
now on UNIX does it not). But the really good stuff
happens when we look at doing a schema extension
including admin extension tools. On ADS, this is
provided via MMC snap-ins. Other OS's I am not really
sure about though I am starting to learn about their
DS implementations. I have OpenLDAP installed on one
of Linux boxes and I just installed Netware 5 on
another system yesterday to get familiar with NDS.
And again, AFAIK, these are all based on X.500/LDAP
which is a pretty straight forward spec (at least the
basic LDAP level which is what everyone writes to).
Have no doubt that this is a fair amount of work and
I do not suggest it just off hand or with any
expectations. As a matter of fact, I will volunteer
right now to pick up the gauntlet on this one! It
will take me awhile to get up to speed with even how
the current IB/FB security system works especially
since I really don't like C and am not real good at
it. Since I have not yet been commited to anyting
specific on FB perhaps this would be a good place???
I welcome comments! Ann, Jim, Helen, Jason, etc.???
Larry
--- "Leyne, Sean" <InterbaseArchitecture@...>
wrote:
> Larry,__________________________________________________
>
> Could you expand on the role of Directory Services
> for SQL Server?
>
> I don't know anything about the DS model and how it
> might extend to
> tables/object within a SQL DBMS, and I suspect I'm
> not alone.
>
> Thanks
>
>
> Sean
>
>
> -----Original Message-----
> From: Larry Carter [mailto:lcarter_97132@...]
>
> Sent: Wednesday, April 25, 2001 4:09 PM
> To: IB-Architect@yahoogroups.com
> Subject: Re: [IB-Architect] Re: SQL names for user
> and role
>
> I have been following this thread somewhat and
> wanted
> to throw out a small idea. If this has already been
> discussed in the past then forgive me for the wasted
> bandwidth.
>
> I don't know what the SQL92/99 spec says, but what
> about Directory Services capabilities as a security
> level option for Firebird? Base LDAP would probably
> be sufficient I would think. This would give users
> the option of DB Server level security or DS based
> security. Most of the ROLES aspects etc. wouldn't
> have to change since we don't neccessarily have to
> extend the schema just use it for base
> authentication
> (i.e. OS user level).
>
> I am fairly new to Directory Services with M$ ADS
> where I have started but they are way cool. We use
> ADS for our authentication to MS SQL Server and I
> would never go back to DB level security again.
>
> Just a though.
> Larry
>
>
> To unsubscribe from this group, send an email to:
> IB-Architect-unsubscribe@onelist.com
>
>
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/