[firebird-support] Howto use Active Directory for authentication?
Hi, I have been asked to use Active Directory for authorization of users of an app which uses Firebird. I'm total newbie when it comes to AD so I have some questions... First, do I understand it right that in order to use AD the Firebird server must be installed onto the domain controller server? Or is it possible to use Linux as a DB server and still use AD for user authorization? Or some other win server than the DC server? Second, user managment, how do you associate user with a role? I assume admin must issue GRANT rolename TO SRV\usrname; for each user and then when connecting this role is automatically used (ie no need to specify role when connecting when using AD to auth users). Is this correct? What happens when user has been granted multiple roles? Third, how to use AD with UIB components. The README.trusted_authentication.txt says To use Windows trusted authentication, do not put user and password parameters in DPB/SPB. I assume just leaving TUIBDatabase's Username and Password properties empty when connecting will trigger trusted authentication (assuming FB is configured to use AD)? BTW using Firebird 2.5, app is writen in Delphi 2010. TIA ain
Re: [firebird-support] Howto use Active Directory for authentication?
I have been asked to use Active Directory for authorization of users of an app which uses Firebird. I'm total newbie when it comes to AD so I have some questions... First, do I understand it right that in order to use AD the Firebird server must be installed onto the domain controller server? Or is it possible to use Linux as a DB server and still use AD for user authorization? Or some other win server than the DC server? Linux is out of question here. Windows Authentication works only when connecting to a Firebird server running on Windows. You don't necessarily need installing the Firebird server on a DC. Second, user managment, how do you associate user with a role? I assume admin must issue GRANT rolename TO SRV\usrname; Right. Don't forget to use delimited identifiers (), e.g.: GRANT rolename TO SRV\usrname; It's getting a bit problematic in respect to the length though, because like any other database object, also SRV\usrname can't exceed 31 characters. So, if you have longish domain and/or user names, you might hit that limit. for each user and then when connecting this role is automatically used (ie no need to specify role when connecting when using AD to auth users). Is this correct? What happens when user has been granted multiple roles? Don't mix up Firebird roles with e.g. the group mechanism on Windows. You have to explicitely provide the desired role name at connect time, so per connection, a connected user can only work in context of a single role. Third, how to use AD with UIB components. The README.trusted_authentication.txt says To use Windows trusted authentication, do not put user and password parameters in DPB/SPB. I assume just leaving TUIBDatabase's Username and Password properties empty when connecting will trigger trusted authentication (assuming FB is configured to use AD)? Correct. -- With regards, Thomas Steinmaurer (^TS^) Firebird Technology Evangelist http://www.upscene.com/ Do you care about the future of Firebird? Join the Firebird Foundation: http://www.firebirdsql.org/en/firebird-foundation/
[firebird-support] Re: Howto use Active Directory for authentication?
--- In firebird-support@yahoogroups.com, Thomas Steinmaurer ts@... wrote: First, do I understand it right that in order to use AD the Firebird server must be installed onto the domain controller server? Or is it possible to use Linux as a DB server and still use AD for user authorization? Or some other win server than the DC server? Linux is out of question here. Windows Authentication works only when connecting to a Firebird server running on Windows. Do you know is there already feature request on this in the tracker? I mean the ability to use Linux as a DB server but forward authentication to AD. If there isn't I should probably add it... You don't necessarily need installing the Firebird server on a DC. Any extra configuration needed when they are on different servers? Or if the DB server is in the domain too, it all will just work? You have to explicitely provide the desired role name at connect time, so per connection, a connected user can only work in context of a single role. Oh, so roles are kind of useless as you still have to provide some auth info yourself, can't just let the AD handle it all... another feature request here, must be able to provide the role in the AD too. TIA ain
Re: [firebird-support] Re: Howto use Active Directory for authentication?
On Mon, 05 Mar 2012 11:56:02 -, ainpoissee ainpois...@yahoo.com wrote: --- In firebird-support@yahoogroups.com, Thomas Steinmaurer ts@... wrote: First, do I understand it right that in order to use AD the Firebird server must be installed onto the domain controller server? Or is it possible to use Linux as a DB server and still use AD for user authorization? Or some other win server than the DC server? Linux is out of question here. Windows Authentication works only when connecting to a Firebird server running on Windows. Do you know is there already feature request on this in the tracker? I mean the ability to use Linux as a DB server but forward authentication to AD. If there isn't I should probably add it... Even under Windows - AFAIK - it doesn't actually verify against the Active Directory. As far as I understand, it simply takes the user identification provided by the computer on face value and does no further authentication! Mark
[firebird-support] Firebird security acessing database on other server as SYSDBA
I am an experienced database administrator using DB2 on mainframe for 25 years and discovered Firebird just now and enjoyed it. I developed a software and was thinking of using Firebird to lower the customer expenses, since it is free of cost. Well, executing some security tests I found that one database copied from one server can be opened by another server using SYSDBA user. It is not acceptable (in my point of view), since customer data can be exposed to undesirable people and my database metadata could be acessed by unauthorized people. I've seen other posts saying that this kind of security must be implemented at OS level protecting the DB file to be copied. Some other posts say that encryption is the solution. I dont't agree with both solutions. If I deliver my software, the files are not in my control and it can be copied and opened on other FB server using SYSDBA user. Encryption is not a solution too, since a FB server can open it and extract the data. I think the solution would be saving the SYSDBA password inside the database and encrypting it. What do you think?
[firebird-support] Newbie questions regarding FB Embedded
Hi, Our company will be upgrading a software analysis tool and the thinking is, if we store the data we gather in a database format, we can export that database so end users can query against it however they want to. Firebird is highly regarded online as a deployable database. It seems hubristic for us to install a complete client/ server architecture and have a db server service running all the time when it's only needed when gathering and processing the data ourselves. So my initial reaction is to (once again) derive a flatfile record structure and generate my own queries, then write a DBF (or even CSV) export filter. There could be ~200k records with ~10 fields/ record. But it may be that the Windows embedded Firebird engine will do what we need without service/ resource issues - message #42825 seems to indicate so. My questions are - 1. Does Windows embedded simply start/stop whenever a query is presented to its database (e.g., using Firebird's iSQL command line queries)? 2. If so, are there significant delay times as the engine starts/ stops? One can envision integrity checks, garbage collection, and other such background activities. 3. What is the linkage between the application query and the starting of the embedded engine? It does not appear as if there's the equivalent of a net start, for instance. 4. Since we support Linux and most flavors of Unix as well: what are the plans for an equivalent engine outside of Windows? I'm thinking here of avoiding issues with installing a daemon on those platforms (user may not have root privilege) and running all the time even though the service is just required during the time we're gathering/ processing our data... Thanks very much!
Re: [firebird-support] Firebird security acessing database on other server as SYSDBA
I would like to say welcome aboard.. This issue has been discussed and will be implemented in firebird 3.0 version. See it in this link: http://tracker.firebirdsql.org/browse/CORE-3368 That is one of the solution propose, but there are a lot other similar suggestion an request from other user. It is plan to release the feature at least on the 3.0 alpha 1. Just wait and see. But one thing i want to know, since you are an experiance DB2 admin user, is DB2 has such security?i mean, as far as i know, sql server database can still be access by another sql server if we copied the database file to another sql server which we know the admin password. And one of database system that can't be opened even if we move to another computer is Access:D. Iwan On Mon, Mar 5, 2012 at 6:32 PM, marcelo.tropia marcelo.tro...@uol.com.brwrote: ** I am an experienced database administrator using DB2 on mainframe for 25 years and discovered Firebird just now and enjoyed it. I developed a software and was thinking of using Firebird to lower the customer expenses, since it is free of cost. Well, executing some security tests I found that one database copied from one server can be opened by another server using SYSDBA user. It is not acceptable (in my point of view), since customer data can be exposed to undesirable people and my database metadata could be acessed by unauthorized people. I've seen other posts saying that this kind of security must be implemented at OS level protecting the DB file to be copied. Some other posts say that encryption is the solution. I dont't agree with both solutions. If I deliver my software, the files are not in my control and it can be copied and opened on other FB server using SYSDBA user. Encryption is not a solution too, since a FB server can open it and extract the data. I think the solution would be saving the SYSDBA password inside the database and encrypting it. What do you think? -- Iwan Cahyadi Sugeng Interaktif Cipta Lestari [Non-text portions of this message have been removed] ++ Visit http://www.firebirdsql.org and click the Resources item on the main (top) menu. Try Knowledgebase and FAQ links ! Also search the knowledgebases at http://www.ibphoenix.com ++ Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) * To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com * To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [firebird-support] Firebird security acessing database on other server as SYSDBA
Em 5/3/2012 16:19, Marcelo TrĂ³pia escreveu: Hi Iwan, thank you. Regarding DB2 security (mainframe DB2 no z/OS), yes, there is this kind of security. If someone copy the VSAM dataset (DB2 tablespace access method) and try to register this tablespace on other DB2 instance, DB2 will not accept it because dbid and obid identifiers are stored inside the dataset and you need to know these identifiers to inform to DB2. Someone with a deep knowing of DB2 (a hacker) could discover these identifiers, but it is not easy. Best regards, Marcelo What DB2 implements is Security by obscutiry I understand you concern, but there is no security if you cannot garantee it at file system level. Even if FB 3.0 stores the user information inside database, it will be easy to complie a new version of FB that bypass the user authentication. It's easy to circunvent it in FB since it is open source, and anyone could analyze the code and recompile it. see you !
Re: [firebird-support] Newbie questions regarding FB Embedded
On Mon, Mar 5, 2012 at 12:30 PM, cniggeler cnigge...@yahoo.com wrote: But it may be that the Windows embedded Firebird engine will do what we need without service/ resource issues - message #42825 seems to indicate so. My questions are - 1. Does Windows embedded simply start/stop whenever a query is presented to its database (e.g., using Firebird's iSQL command line queries)? While your application maintains a connection to the database, Firebird embedded keeps the database file open, but it only runs when you're running a query. 2. If so, are there significant delay times as the engine starts/ stops? One can envision integrity checks, garbage collection, and other such background activities. There's some cost to opening a connection (opening the file, reading metadata), but queries on an open connection won't have a significant delay (give or take the complexity of the query). 3. What is the linkage between the application query and the starting of the embedded engine? It does not appear as if there's the equivalent of a net start, for instance. You open a connection to the database which causes the embedded code to open the file. 4. Since we support Linux and most flavors of Unix as well: what are the plans for an equivalent engine outside of Windows? I'm thinking here of avoiding issues with installing a daemon on those platforms (user may not have root privilege) and running all the time even though the service is just required during the time we're gathering/ processing our data... Firebird has embedded versions for most Linux and Unix systems. Good luck, Ann [Non-text portions of this message have been removed]
[firebird-support] Re: Newbie questions regarding FB Embedded
Hi, Thank you for your reply. One clarification to this: Firebird has embedded versions for most Linux and Unix systems. The manual states, Under Linux, you always need a properly installed server, be it Classic or Super. To me, this means, a) it can't be installed without user intervention, b) it will be hard to control from the application (i.e., it will be always on consuming system resources as the application may not have privileges to stop it), c) root access is required, at least according to the manual, which means additional personnel and IT approval overhead, and d) since Windows is SuperClassic and *nix embedded is Classic, we will have to manage two different procedures at our end. That's why I was wondering if/when the behavior of *nix embedded and that of Windows embedded will be the same, or even it's possible.
[firebird-support] Transaction mode question
Hi, If SinĂ¡tica Monitor reports a transaction as Read Committed no Record Versions, Read Write, am I right in these assumptions: 1. Read/write mode, i.e. both selects, updates, inserts and deletes are allowed. 2. On each statement, for each record, it will access only the latest record version, in effect ignoring MVCC. 3. Assuming the lack of wait/no wait info means no wait: If the latest record version is uncommitted, it will report a lock conflict, even if the attempted operation is a read/select. This is in an OR framework (ECO, a bit like NHibernate). I think it uses this mode for all operations. It would seem to me that this mode limits the number of concurrent operations more than is really motivated. I am considering to use rec versions instead., in which case I would expect the above to turn into: 2. On each statement, for each record, it will *read* the latest committed version. Does this count per statement start time or is it asynchronous so that a record version committed by another transaction in the middle of a statement execution will be read by that statement? 3. Assuming the lack of wait/no wait info means no wait: On each statement, for each record, a *write* will fail with a lock conflict error if there is an uncommitted record version. In view of the OR framework, this transaction mode would mean that when reading it will always get the latest possible data. If the reads are async as I ask in point 2, the data received runs the risk of being inconsistent, which is not good. When writing data, if the OR framework doesn't add any explicit checks for record versions, it will overwrite changes written by other transactions, without noticing, assuming the other changes are committed. Uncommitted changes will result in an exception, due to lock conflicts. Kjell -- -- Kjell Rilbe DataDIA AB E-post: kj...@datadia.se Telefon: 08-761 06 55 Mobil: 0733-44 24 64
[firebird-support] Re: Newbie questions regarding FB Embedded
cniggeler [2012-03-05 18:30] : Hi, 4. Since we support Linux and most flavors of Unix as well: what are the plans for an equivalent engine outside of Windows? I'm thinking here of avoiding issues with installing a daemon on those platforms (user may not have root privilege) and running all the time even though the service is just required during the time we're gathering/ processing our data... some link to start with http://accountingplusplus.blogspot.com/2010/06/firebird-embedded-linux.html