maria-developers team mailing list archive

Thread
Date

Re: win auth plugin

To: <sergii@xxxxxxxxx>
From: "Vladislav Vaintroub" <wlad@xxxxxxxxxxxxxxxx>
Date: Fri, 30 Dec 2011 22:59:29 +0100
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20111230200305.GB20066@meddwl.fritz.box>
Thread-index: AQDN+XT8B15COKgYcVu0Wp89+C+gF5fyc0bA

Hi Serg,

> -----Original Message-----
> From: sergii@xxxxxxxxx [mailto:sergii@xxxxxxxxx]
> Sent: Freitag, 30. Dezember 2011 21:03
> To: wlad@xxxxxxxxxxxxxxxx
> Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
> Subject: win auth plugin
> 
> Hi.
> 
> Attached is the patch for the windows authentication plugin.
> 
> To avoid code duplication I've reused MySQL's windows authentication
> plugin and only wrote the server part.
> 
> This plugin is different from MySQL's, because (as all our plugins) it
> does not do user name mapping and only preforms the authentication -
> that is, only verifies that the user really is who he says he is.

Hmm:)  Supplying user name and verifying  is sort of duplicating
information. Server knows exactly who's connecting anyway, after the
handshake is performed. So - is that providing user name really required?

I would understand providing  extra name information if it would help to
resolve some ambiguity.  For example, it addition to  user  name it could be
a group name. Given a token, checking that supplied string is either user
name or one of the groups he belongs to, is simple.. From my point of view,
allowing groups could make it more useful in practice ,allowing many
different users/applications act as the single MySQL user, reducing the need
of  one-to-one mapping for every single OS user on MySQL level.


I'm afraid .Net  connector does not work without mapping, or are things have
changed in the last months? That would be pity, and greatly reduce the
utility .  Does any connector apart from .NET support authentication yet?

Ok, to the itself. I do not think comparing usernames  as strings is the
correct way to go
+  if (!client_sid.is_valid() ||
+	  !client_sid.make_username(buf, sizeof(buf)) ||
+	  stricmp(info->user_name, buf))
The problem with it is that usernames can be really specified in multitude
of different ways (name,  .\name, machine\name  are  different names for the
same local user for example). A more robust comparison would be retrieving
SID for info->user_name, and comparing  it with client_sid using e.g
EqualSid().

Could you understand a strange dance around 254 bytes in Rafals code
(Handshake_client::write_packet)? I do not get it.  Did he fix a real
problem, or  problem that  would not exist, or  did he redefine protocol  in
his own way ? 

Wlad

Follow ups

Re: win auth plugin
From: Sergei Golubchik, 2011-12-31

References

win auth plugin
From: sergii, 2011-12-30