On 11/05/2015 02:29 PM, Paul Reeves wrote: > On Thursday 05 Nov 2015 13:49:26 Alex Peshkoff wrote: >> On 11/04/2015 11:45 AM, Paul Reeves wrote: >>> So the question is this - can the authentication method be switched >>> between >>> srp and legacy without modifiying security3.fdb? >> Paul, switching authentication method does not require modification of >> security3.fdb - only firebird.conf. > That is good to know. Although as I mentioned in my reply to Mark yesterday, I > think it will be best if the installer doesn't get involved with this if it > detects an existing security3.fdb.
Yes - definitely. Moreover all management plugins are supposed to be designed to create/upgrade required for them data structures themselves. >> Parameter UserManager in it sets plugin used to work with security database. >> If more than one plugin is given, first plugin from the list is used by >> default when changing user and all that plugins are used to list users in >> sec$users pseudo table. > This is something that I haven't fully understood in the Release Notes. If I > understand correctly the first plugin is the only one used for authentication. If you do not use plugin control clause - yes. > I originally thought that the server would go through the list one by one > until it found a plugin that worked. That's how authentication and providers work, but for management such mode is not good. Imagine that one can issue identical but with different password command CREATE USER twice, adding users with different passwords in different plugins. I do not think it's good idea. > > The only time the list is used is when querying the sec$users table. > > I think this distinction needs to be made clearer. > >> Using SQL to manage users you may choose non-default plugin from the >> list of available with "USING PLUGIN name" clause in create/alter/drop >> user statement. > > Yes, I know this is in the release notes, but I haven't yet started to do > anything at that level. I've just been working on getting the security > database correctly initialised for SRP and legacy auth. But if I understand > correctly if we have this setting for UserManager: > > UserManager = srp, legacy_auth > > we can then use this to add SYSDBA for legacy_auth: > > > isql> create user SYSDBA password 'SomethingCryptic' > using plugin legacy_auth; > > > instead of the old method of calling gsec. Yes, this should work. Except one detail - I've tried to keep legacy auth as 'old-style' as possible, and SYSDBA for it is pre-created in security database. With old password 'masterke'. I.e. you will not be able to create user sysdba second time. But with SQL you may use CREATE OR ALTER which will work like for any other DDL. ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
