Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mapping rule using WIN_SSPI plugin: windows user group conversion to firebird role does not work [CORE5639] #5905

Closed
firebird-issue-importer opened this issue Oct 16, 2017 · 5 comments

Comments

@firebird-issue-importer

Submitted by: Erik Jõeveer (erikj)

First enable use of Windows trusted authentication:

CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;

Then we want to define some exact Windows trusted authentication user group mapping to firebird role:

CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;

But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).

Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):

int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();

	sspiData\.clear\(\);
	unsigned int length;
	const unsigned char\* bytes = sBlock\-\>getData\(&length\);
	sspiData\.add\(bytes, length\);

	if \(\!sspi\.accept\(sspiData\)\)
		return AUTH\_CONTINUE;

	if \(wasActive && \!sspi\.isActive\(\)\)
	\{
		bool wheel = false;
		string login;
		sspi\.getLogin\(login, wheel\);
		ISC\_systemToUtf8\(login\);

		writerInterface\-\>add\(status, login\.c\_str\(\)\);
		if \(wheel\)
		\{
			writerInterface\-\>add\(status, FB\_DOMAIN\_ANY\_RID\_ADMINS\);
			writerInterface\-\>setType\(status, FB\_PREDEFINED\_GROUP\);
		\}

		// ToDo: walk groups to which login belongs and list them using writerInterface

		return AUTH\_SUCCESS;
	\}

	sBlock\-\>putData\(status, sspiData\.getCount\(\), sspiData\.begin\(\)\);
\}

...

Commits: e6f525c 5b8f3b6

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 16, 2017

Modified by: Erik Jõeveer (erikj)

Version: 3.0.1 [ 10730 ]

Version: 3.0.0 [ 10740 ]

description: First enable use of Windows trusted authentication:

CREATE GLOBAL MAPPING TRUSTED_AUTH
USING PLUGIN WIN_SSPI
FROM ANY USER
TO USER;

Then we want to define some exact Windows trusted authentication user group mapping to firebird role:

CREATE MAPPING WIN_GLADMIN
USING PLUGIN WIN_SSPI
FROM Group NOOMGLADMIN
TO ROLE GLADMIN;

But this does not work.
It seems that currently works role assignment mapping only for windows admins (Predefined_Group DOMAIN_ANY_RID_ADMINS).

Mabe this issue is retated to one 'ToDo' comment in plugin WIN_SSPI code (AuthSspi.cpp):

int WinSspiServer::authenticate(Firebird::CheckStatusWrapper* status,
IServerBlock* sBlock,
IWriter* writerInterface)
{
try
{
const bool wasActive = sspi.isActive();

	sspiData\.clear\(\);
	unsigned int length;
	const unsigned char\* bytes = sBlock\-\>getData\(&length\);
	sspiData\.add\(bytes, length\);

	if \(\!sspi\.accept\(sspiData\)\)
		return AUTH\_CONTINUE;

	if \(wasActive && \!sspi\.isActive\(\)\)
	\{
		bool wheel = false;
		string login;
		sspi\.getLogin\(login, wheel\);
		ISC\_systemToUtf8\(login\);

		writerInterface\-\>add\(status, login\.c\_str\(\)\);
		if \(wheel\)
		\{
			writerInterface\-\>add\(status, FB\_DOMAIN\_ANY\_RID\_ADMINS\);
			writerInterface\-\>setType\(status, FB\_PREDEFINED\_GROUP\);
		\}

		// ToDo: walk groups to which login belongs and list them using writerInterface

		return AUTH\_SUCCESS;
	\}

	sBlock\-\>putData\(status, sspiData\.getCount\(\), sspiData\.begin\(\)\);
\}

...

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 16, 2017

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 19, 2018

Commented by: @AlexPeshkoff

Groups may be used in 2 forms - HostDomainName\GroupName or just GroupName.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 19, 2018

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

Fix Version: 3.0.5 [ 10885 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 19, 2018

Modified by: @AlexPeshkoff

Version: 3.0.4 [ 10863 ]

Version: 3.0.3 [ 10810 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants