Menu
▾
▴
Re: [Firebird-devel] User semantics vs authentication
|
From: Dmitry Y. <di...@us...> - 2004-09-24 12:01:38
|
"Thomas Steinmaurer" <ts...@ib...> wrote: > > With these external authentication mechanism used, would it be > still necessary to have the user created in the database? You > know, you would have to maintain the user again in different > places. Now you need to synchronize server and database anyway - deleting a server-wide user keeps its privileges in all databases, leaving a possibility for not expected database access when this user name is added again into security.rdb. IMHO, users along with their permissions and roles are objects of one group and should be stored together. Of course, having different users/logins brings some additional complexity. But it gives you some power as well. And also it allows to separate the external logic and database objects. Why on earth do you have to create SYSDBA and <owner> users in the NT domain just to be able to backup your database? Just map group "Domain Administrators" to the database-level SYSDBA and group "Backup Operators" to the database-level <owner>. Or use EUA for these users and NT domain authentication for everybody else. Also (again IMHO), it's easier to migrate such a database between hosts with different auth methods - just remap the database users to whatever you need. > Or, would it be possible to define that a database user is > able to authenticate via LDAP or Kerberos or both? I think it should be possible. Dmitry |
