firebird-mirror/doc/README.trusted_authentication

		New way to authenticate users in firebird.

Firebird starting with version 2.1 can use Windows security for user authentication.
Current security context is passed to the server and if it's OK for that server is used to determine
firebird user name. To use Windows trusted authentication in FB3 you should make minimum changes in
firebird.conf and tune mappings in your databases.

Parameter Authentication in firebird.conf file is not used any more - it's replaced with more
generic AuthServer (and AuthClient) parameters. Also to use trusted authentication one should turn
off mandatory wire encryption because Win_Sspi plugin (which implements trusted authentication on
Windows) does not provide an encryption key. So minimum changes in firebird.conf you need is:

AuthServer = Srp, Win_Sspi
WireCrypt = Enabled

Also mapping (see sql.extensions/README.mapping.html) should be created. To tune for all databases
do:

create global mapping trusted_auth using plugin win_sspi from any user to user;

Do not put user and password parameters in DPB/SPB. With provided firebird.conf in almost all cases
trusted authentication will be used (see environment below for exceptions). Suppose you have logged
to the Windows server SRV as user John. If you connect to server SRV with isql, not specifying
Firebird login and password:

isql srv:employee

and do:

SELECT CURRENT_USER FROM RDB$DATABASE;

you will get something like:

USER
====================================================
SRV\John

Windows users may be granted rights to access database objects and roles in the same way as
traditional Firebird users. (This is not something new - in UNIX OS users might be granted rights
virtually always).

- If domain administrator (member of well known predefined groups) connects to Firebird using trusted
authentication, he/she may be granted 'god-like' (SYSDBA) rights depending upon settings in database,
to which such user attachs. To keep CURRENT_USER value in a form DOMAIN\User, a new object (predefined
system role) is added to the database. The name of that role is RDB$ADMIN, and any user, granted it,
can attach to the database with SYSDBA rights. To configure all databases to auto-grant that role to
administrators, use the following command:

create global mapping win_admin using plugin win_sspi from predefined_group DOMAIN_ANY_RID_ADMINS to role RDB$ADMIN;

Take into an account, that if Windows administrator attaches with role set in dpb, it will not be
replaced with RDB$ADMIN, i.e. he/she will not get SYSDBA rights.

- To keep legacy behavior when ISC_USER/ISC_PASSWORD variables are set in environment, they
are picked and used instead of trusted authentication. In case when trusted authentication is needed
and ISC_USER/ISC_PASSWORD are set, add new DPB parameter isc_dpb_trusted_auth to DPB. In most
of Firebird command line utilities switch -trusted (may be abbreviated up to utility rules) is used
for it.

isql srv:db                -- log using trusted authentication
set ISC_USER=user1
set ISC_PASSWORD=12345
isql srv:db                -- log as 'user1' from environment
isql -trust srv:db         -- log using trusted authentication

				Author: Alex Peshkov, <peshkoff at mail.ru>
modified description to match 2.5 state 2008-05-15 17:49:34 +02:00			`New way to authenticate users in firebird.`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`Firebird starting with version 2.1 can use Windows security for user authentication.`
Misc. 2007-04-15 13:25:23 +02:00			`Current security context is passed to the server and if it's OK for that server is used to determine`
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`firebird user name. To use Windows trusted authentication in FB3 you should make minimum changes in`
			`firebird.conf and tune mappings in your databases.`

			`Parameter Authentication in firebird.conf file is not used any more - it's replaced with more`
			`generic AuthServer (and AuthClient) parameters. Also to use trusted authentication one should turn`
			`off mandatory wire encryption because Win_Sspi plugin (which implements trusted authentication on`
Misc. 2015-08-02 17:51:01 +02:00			`Windows) does not provide an encryption key. So minimum changes in firebird.conf you need is:`
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00
			`AuthServer = Srp, Win_Sspi`
			`WireCrypt = Enabled`

			`Also mapping (see sql.extensions/README.mapping.html) should be created. To tune for all databases`
			`do:`

			`create global mapping trusted_auth using plugin win_sspi from any user to user;`

			`Do not put user and password parameters in DPB/SPB. With provided firebird.conf in almost all cases`
			`trusted authentication will be used (see environment below for exceptions). Suppose you have logged`
			`to the Windows server SRV as user John. If you connect to server SRV with isql, not specifying`
			`Firebird login and password:`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
			`isql srv:employee`

			`and do:`

modified description to match 2.5 state 2008-05-15 17:49:34 +02:00			`SELECT CURRENT_USER FROM RDB$DATABASE;`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
			`you will get something like:`

			`USER`
Misc. 2007-04-15 13:25:23 +02:00			`====================================================`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00			`SRV\John`

Misc. 2007-04-15 13:25:23 +02:00			`Windows users may be granted rights to access database objects and roles in the same way as`
			`traditional Firebird users. (This is not something new - in UNIX OS users might be granted rights`
			`virtually always).`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
modified description to match 2.5 state 2008-05-15 17:49:34 +02:00			`- If domain administrator (member of well known predefined groups) connects to Firebird using trusted`
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`authentication, he/she may be granted 'god-like' (SYSDBA) rights depending upon settings in database,`
			`to which such user attachs. To keep CURRENT_USER value in a form DOMAIN\User, a new object (predefined`
			`system role) is added to the database. The name of that role is RDB$ADMIN, and any user, granted it,`
			`can attach to the database with SYSDBA rights. To configure all databases to auto-grant that role to`
modified description to match 2.5 state 2008-05-15 17:49:34 +02:00			`administrators, use the following command:`

Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`create global mapping win_admin using plugin win_sspi from predefined_group DOMAIN_ANY_RID_ADMINS to role RDB$ADMIN;`
modified description to match 2.5 state 2008-05-15 17:49:34 +02:00
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`Take into an account, that if Windows administrator attaches with role set in dpb, it will not be`
modified description to match 2.5 state 2008-05-15 17:49:34 +02:00			`replaced with RDB$ADMIN, i.e. he/she will not get SYSDBA rights.`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
Misc. 2007-04-15 13:25:23 +02:00			`- To keep legacy behavior when ISC_USER/ISC_PASSWORD variables are set in environment, they`
			`are picked and used instead of trusted authentication. In case when trusted authentication is needed`
			`and ISC_USER/ISC_PASSWORD are set, add new DPB parameter isc_dpb_trusted_auth to DPB. In most`
			`of Firebird command line utilities switch -trusted (may be abbreviated up to utility rules) is used`
Fixed old text to make it match v.3 reality 2015-07-26 20:06:05 +02:00			`for it.`
Added readme for trusted authentication in windows 2007-04-11 17:34:32 +02:00
			`isql srv:db -- log using trusted authentication`
			`set ISC_USER=user1`
			`set ISC_PASSWORD=12345`
			`isql srv:db -- log as 'user1' from environment`
			`isql -trust srv:db -- log using trusted authentication`

Misc. 2007-04-15 13:25:23 +02:00			`Author: Alex Peshkov, <peshkoff at mail.ru>`