|
If you were logged in you would be able to see more operations.
|
|
|
|
First enable use of Windows trusted authentication:
CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;
Then we want to define some exact Windows trusted authentication user group mapping to firebird role:
CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;
But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).
Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):
int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();
sspiData.clear();
unsigned int length;
const unsigned char* bytes = sBlock->getData(&length);
sspiData.add(bytes, length);
if (!sspi.accept(sspiData))
return AUTH_CONTINUE;
if (wasActive && !sspi.isActive())
{
bool wheel = false;
string login;
sspi.getLogin(login, wheel);
ISC_systemToUtf8(login);
writerInterface->add(status, login.c_str());
if (wheel)
{
writerInterface->add(status, FB_DOMAIN_ANY_RID_ADMINS);
writerInterface->setType(status, FB_PREDEFINED_GROUP);
}
// ToDo: walk groups to which login belongs and list them using writerInterface
return AUTH_SUCCESS;
}
sBlock->putData(status, sspiData.getCount(), sspiData.begin());
}
...
|
|
Description
|
First enable use of Windows trusted authentication:
CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;
Then we want to define some exact Windows trusted authentication user group mapping to firebird role:
CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;
But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).
Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):
int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();
sspiData.clear();
unsigned int length;
const unsigned char* bytes = sBlock->getData(&length);
sspiData.add(bytes, length);
if (!sspi.accept(sspiData))
return AUTH_CONTINUE;
if (wasActive && !sspi.isActive())
{
bool wheel = false;
string login;
sspi.getLogin(login, wheel);
ISC_systemToUtf8(login);
writerInterface->add(status, login.c_str());
if (wheel)
{
writerInterface->add(status, FB_DOMAIN_ANY_RID_ADMINS);
writerInterface->setType(status, FB_PREDEFINED_GROUP);
}
// ToDo: walk groups to which login belongs and list them using writerInterface
return AUTH_SUCCESS;
}
sBlock->putData(status, sspiData.getCount(), sspiData.begin());
}
...
|
Show » |
|
Bug
Resolved
Major
Mapping rule using WIN_SSPI plugin: windows user group conversion to firebird role does not work