FirebirdDB
/
firebird
зеркало из https://github.com/FirebirdSQL/firebird.git


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364
							0. Brief description.

fbSampleExtAuth plugin is useful when you want to run 'execute statement on external'
statement connecting to databases on non-local servers but do not wish to explicitly
add login and password to your PL/SQL code. When 2 servers completely trust each other
this plugin may be used to enable access to remote database without entering login and
password in SQL code. To ensure that connection comes from trusted source shared secret
key (placed into plugin's .conf file) is used. That means that the value of a "Key"
parameter should be exacly the same for all trusting each other hosts. Pay attention -
SQL name of connected user on remote host may not match local logon, it depends also
upon mappings on remote host.

1. Before starting the build.

This authentication plugin is using TomCrypt (https://www.libtom.net/LibTomCrypt/) library.
Firebird since v.4 is actively using it. Depending upon build type tomcrypt binary may be
included or not included into your package. In a case when it's included you will find
appropriate H-files in tomcrypt.include subdir. If not that means that native OS library
is used and you should also work with it. Depending upon your OS you will may be need
to install development package for tomcrypt.

2. Building plugin.

Type 'make' in this directory. Build system supposes that it was not moved out of standard
firebird tree. In a case when you did it manually you will sooner of all have to change
Makefile appropriately. If you use firebird with different operating systems and/or hardware
you should build plugin for each used configuration.

3. Installing plugin.

Makefile has install target (make install) which may be used for current box. However
this is not full solution because plugin is supposed to be used to connect at least two
separate servers. See 'Testing' for more details.

4.Testing.

- imagine you have two hosts: host1 and host2;
- generate configuration file using fbSampleExtAuthKeygen utility on any of them (only ONCE -
on ONE host !!!);
- copy that file and plugin itself to $FIREBIRD/plugins directory on each host;
- modify firebird.cond, it should contain something like:
	AuthServer = Srp256, fbSampleExtAuth
	AuthClient = Srp256, fbSampleExtAuth
lines, certainly something else may be used instead recommended Srp256;
- if you need WIN_SSPI plugin please add it AFTER fbSampleExtAuth;
- do not forget to restart firebird after reconfiguring it;
- create minimal required mapping on host1:
	CREATE MAPPING EXT USING PLUGIN fbSampleExtAuth FROM ANY USER TO USER EXTUSER;
- run the following script on host2:
	SET TERM ^;
	EXECUTE BLOCK RETURNS(REMNAME CHAR(32)) AS BEGIN
		EXECUTE STATEMENT 'SELECT CURRENT_USER FROM RDB$DATABASE'
				ON EXTERNAL 'host1:employee' INTO :REMNAME;
		SUSPEND;
	END^
	SET TERM ;^
you should get something like this:
	REMNAME
	==============================
	EXTUSER
- explicitly specifying login and/or password in SQL statement normally deactivates
this plugin but one can use IgnoreLogin and IgnorePassword parameters to change that.