Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapping rule using WIN_SSPI plugin: windows user group conversion to firebird role does not work [CORE5639] #5905

Closed
firebird-automations opened this issue Oct 16, 2017 · 5 comments
Closed

Mapping rule using WIN_SSPI plugin: windows user group conversion to firebird role does not work [CORE5639] #5905

firebird-automations opened this issue Oct 16, 2017 · 5 comments
Assignees
@AlexPeshkoff
Labels
affect-version: 3.0.0 affect-version: 3.0.1 affect-version: 3.0.2 affect-version: 3.0.3 affect-version: 3.0.4 fix-version: 3.0.5 fix-version: 4.0 Beta 1 priority: major type: bug

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: Erik Jõeveer (erikj)

First enable use of Windows trusted authentication:

CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;

Then we want to define some exact Windows trusted authentication user group mapping to firebird role:

CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;

But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).

Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):

int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();

	sspiData\.clear\(\);
	unsigned int length;
	const unsigned char\* bytes = sBlock\-\>getData\(&length\);
	sspiData\.add\(bytes, length\);

	if \(\!sspi\.accept\(sspiData\)\)
		return AUTH\_CONTINUE;

	if \(wasActive && \!sspi\.isActive\(\)\)
	\{
		bool wheel = false;
		string login;
		sspi\.getLogin\(login, wheel\);
		ISC\_systemToUtf8\(login\);

		writerInterface\-\>add\(status, login\.c\_str\(\)\);
		if \(wheel\)
		\{
			writerInterface\-\>add\(status, FB\_DOMAIN\_ANY\_RID\_ADMINS\);
			writerInterface\-\>setType\(status, FB\_PREDEFINED\_GROUP\);
		\}

		// ToDo: walk groups to which login belongs and list them using writerInterface

		return AUTH\_SUCCESS;
	\}

	sBlock\-\>putData\(status, sspiData\.getCount\(\), sspiData\.begin\(\)\);
\}

...

Commits: e6f525c 5b8f3b6
@firebird-automations
Copy link
Collaborator Author

Modified by: Erik Jõeveer (erikj)

Version: 3.0.1 [ 10730 ]

Version: 3.0.0 [ 10740 ]

description: First enable use of Windows trusted authentication:

CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;

Then we want to define some exact Windows trusted authentication user group mapping to firebird role:

CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;

But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).

Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):

int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();

	sspiData\.clear\(\);
	unsigned int length;
	const unsigned char\* bytes = sBlock\-\>getData\(&length\);
	sspiData\.add\(bytes, length\);

	if \(\!sspi\.accept\(sspiData\)\)
		return AUTH\_CONTINUE;

	if \(wasActive && \!sspi\.isActive\(\)\)
	\{
		bool wheel = false;
		string login;
		sspi\.getLogin\(login, wheel\);
		ISC\_systemToUtf8\(login\);

		writerInterface\-\>add\(status, login\.c\_str\(\)\);
		if \(wheel\)
		\{
			writerInterface\-\>add\(status, FB\_DOMAIN\_ANY\_RID\_ADMINS\);
			writerInterface\-\>setType\(status, FB\_PREDEFINED\_GROUP\);
		\}

		// ToDo: walk groups to which login belongs and list them using writerInterface

		return AUTH\_SUCCESS;
	\}

	sBlock\-\>putData\(status, sspiData\.getCount\(\), sspiData\.begin\(\)\);
\}

...

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Groups may be used in 2 forms - HostDomainName\GroupName or just GroupName.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

Fix Version: 3.0.5 [ 10885 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Version: 3.0.4 [ 10863 ]

Version: 3.0.3 [ 10810 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexPeshkoff AlexPeshkoff

Labels
affect-version: 3.0.0 affect-version: 3.0.1 affect-version: 3.0.2 affect-version: 3.0.3 affect-version: 3.0.4 fix-version: 3.0.5 fix-version: 4.0 Beta 1 priority: major type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexPeshkoff @firebird-automations