--- In Firebird-Architect@yahoogroups.com, "Roman Rokytskyy"
<rrokytskyy@a...> wrote:

> > Here's an option that has not been discussed in any depth yet.
>
> The approach you suggest was discussed last year in this group. The
> decision was made to go for a pluggable authentication modules (PAM)
> that would allow authentication using LDAP, AD, NDS, etc. See the

roadmap.

I'll have to review it.

>
> As to the authorization using LDAP server... I'm not sure that I
> understood you right when you talk about LDAP being used for
> authorization too. Do you consider Firebird to ask for a permission
> each time a SQL statement is executed? If that's the case, I think
> this will lead to an extreme performance degradation.
>
> Roman

If an LDAP like system (or an LDAP implementation) were embedded in
the Firebird engine, then the performance degradation would be
limited.

The authorization does not have to be implemented at the crude level
of querying on every statement. RACF, for example, ties all of the
authorizations to the user session at connect time. When you
disconnect and reconnect, you get your new authorities. It would
increase the memory requirements of a connection, and the time to
connect/disconnect, but it does not have to impact every statement.

The Pluggable Module is a good mechanism because it allows the
implementation DBA to choose the tradeoff between security model and
performance.