| Subject | Re: [Firebird-Architect] Trusted authentication |
|---|---|
| Author | Alexandre Benson Smith |
| Post date | 2006-02-10T15:34:19Z |
Alex Peshkov wrote:
Maybe I am just short-sighted, but if one wish trusted-authentication, I
think it should work this way, don't use the security.fb to validate
the user just use the "network credentials".
If one wish to login in the database with different credentials, he will
need to logoff the current user and logon with the new one.
About the security database, it was a long time since I used MSSQL, but
I remember a tool to import the domain users to the database. don't know
how to mimic it for FB, maybe if a valid user (after authentication by
the OS is ok) are not registered on security.fb it can be automagically
added (without any password of course), this user will then be able to
login, but since it has no grants could not access any object on the
databases.
A MIXED mode is better of-course, but is it needed ? If so, for sure in
some way the API/protocol should be changed to accomodate the new flags
(I know it is what you are arguing) the tools (all the tools and
applications ever written) should be rewritten to take advantage of this
new feature. If we go the other way around (the way I suggested) no need
to change anything on applications, just a new message from the server
asking the client library to prove that he is whom it says.
Could it be a two phase implementation ? The first phase FB has normal
authentication *or* trusted authentication, when the protocol will be
revised, when the API will be changed, when the plugin architeture will
be in place, etc. the second phase is implementented where FB has *any*
kind of authentication using plug-ins, and even more then one kind at once.
I am for a well implemented solluttion, for do the thing right at once,
my main concern is that only new (adjusted and recompiled) tools will
get the benefit.
see you !
--
Alexandre Benson Smith
Development
THOR Software e Comercial Ltda
Santo Andre - Sao Paulo - Brazil
www.thorsoftware.com.br
> But if one needs to connect to the server with another credentials? EvenHi Alex,
> MS is smart enough to let people connect to the server, using native
> login/password, if configured. With your suggestion any user with valid
> credentials can not login with another ones, but user without valid
> domain credentials - can. Or do you suggest to disable authentication
> via security database at all? This is very simple solution, but it's
> mich desired to have reasonable MIXED mode.
>
Maybe I am just short-sighted, but if one wish trusted-authentication, I
think it should work this way, don't use the security.fb to validate
the user just use the "network credentials".
If one wish to login in the database with different credentials, he will
need to logoff the current user and logon with the new one.
About the security database, it was a long time since I used MSSQL, but
I remember a tool to import the domain users to the database. don't know
how to mimic it for FB, maybe if a valid user (after authentication by
the OS is ok) are not registered on security.fb it can be automagically
added (without any password of course), this user will then be able to
login, but since it has no grants could not access any object on the
databases.
A MIXED mode is better of-course, but is it needed ? If so, for sure in
some way the API/protocol should be changed to accomodate the new flags
(I know it is what you are arguing) the tools (all the tools and
applications ever written) should be rewritten to take advantage of this
new feature. If we go the other way around (the way I suggested) no need
to change anything on applications, just a new message from the server
asking the client library to prove that he is whom it says.
Could it be a two phase implementation ? The first phase FB has normal
authentication *or* trusted authentication, when the protocol will be
revised, when the API will be changed, when the plugin architeture will
be in place, etc. the second phase is implementented where FB has *any*
kind of authentication using plug-ins, and even more then one kind at once.
I am for a well implemented solluttion, for do the thing right at once,
my main concern is that only new (adjusted and recompiled) tools will
get the benefit.
see you !
--
Alexandre Benson Smith
Development
THOR Software e Comercial Ltda
Santo Andre - Sao Paulo - Brazil
www.thorsoftware.com.br