| Firebird Documentation Index → Firebird 2.1 Release Notes → Security → Using Windows Security to Authenticate Users |
|
|
|
(V.2.1) From Firebird 2.1 onward, Windows “Trusted User” security can be applied for authenticating Firebird users on a Windows host. The Trusted User's security context is passed to the Firebird server and, if it succeeds, it is used to determine the Firebird security user name.
Simply omitting the user and password parameters from the DPB/SPB will automatically cause Windows Trusted User authentication to be applied, in almost all cases. See the Environment section, below, for exceptions.
Illustration
Suppose you have logged in to the Windows server SRV as user 'John'. If you connect to server SRV with isql, without specifying a Firebird user name and password:
isql srv:employee
and do:
SQL> select CURRENT_USER from rdb$database;
you will get something like:
USER
====================================================
SRV\John
Windows users can be granted rights to access database objects and roles in the same way as regular Firebird users, emulating the capability that has been always been available users of Unix and Linux hosted Firebird databases.
If a local Adminstrator or a member of the built-in Domain Admins group connects to Firebird using trusted authentication, he/she will be connected as SYSDBA.
The new parameter Authentication has been added
to firebird.conf for configuring the authentication method on Windows.
Possible values are.-
Provides full compatibility with previous Firebird versions, avoiding trusted authentication.
The Security database is ignored and only Windows authentication is used. In some respects, on Windows this is more secure than Native, in the sense that it is no less and no more secure than the security of the host operating system.
This is the default setting.
To retain the legacy behaviour, when the
ISC_USER and ISC_PASSWORD
variables are set in the environment, they are picked and used instead
of trusted authentication.
Trusted authentication can be coerced to override the environment variables if they are set—refer to the notes below.
For the situation where trusted authentication is needed and there is
a likelihood that ISC_USER
and ISC_PASSWORD are set, there is a new DPB parameter
that you can add to the DPB—isc_dpb_trusted_auth.
Most of the Firebird command-line utilities support parameter by means of the switch
-tru[sted] (the abbreviated form is available, according to the usual
rules for abbreviating switches).
The qli and nbackup utilities do not follow the pattern: they use single-letter switches that are somewhat arcane. The switch of interest for qli is -K). For nbackup, watch this space. The facility to force trusted authentication is yet to be implemented for it.
Example
C:\Pr~\bin>isql srv:db -- log in using trusted authentication
C:\Pr~\bin>set ISC_USER=user1
C:\Pr~\bin>set ISC_PASSWORD=12345
C:\Pr~\bin>isql srv:db -- log in as 'user1' from environment
C:\Pr~\bin>isql -trust srv:db -- log in using trusted authentication
Windows rules for full domain user names allow names longer than the maximum 31 characters allowed by Firebird for user names. The 31-character limit is enforced and, from V.2.1, logins passing longer names are disabled. This will remain the situation until the mapping of OS objects to database objects is implemented in a later Firebird version.
|
| Firebird Documentation Index → Firebird 2.1 Release Notes → Security → Using Windows Security to Authenticate Users |