Firebird Documentation IndexFirebird 2.0.6 Release NotesSecurity in Firebird 2 → Dealing with the New Security Database
Firebird Home Firebird Home Prev: Classic Server on POSIXFirebird Documentation IndexUp: Security in Firebird 2Next: Command-line Utilities

Dealing with the New Security Database

A. Peshkov

Doing the Security Database Upgrade

If you try to put a pre-Firebird 2 security database -- security.fdb or a renamed isc4.gdb -- into Firebird's new home directory and then try to connect to the server, you will get the message "Cannot attach to password database". It is not a bug: it is by design. A security database from an earlier Firebird version cannot be used directly in Firebird 2.0 or higher.

The newly structured security database is named security2.fdb.

In order to be able to use an old security database, it is necessary to run the upgrade script security_database.sql, that is in the ../upgrade sub-directory of your Firebird server installation.

Note

A copy of the script appears in the Appendix to these notes: Security Upgrade Script.

Doing the Security Database Upgrade

To do the upgrade, follow these steps:

  1. Put your old security database in some place known to you, but not in Firebird's new home directory. Keep a copy available at all times!

  2. Start Firebird 2, using its new, native security2.fdb.

  3. Convert your old security database to ODS11 (i.e. backup and restore it using Firebird 2.0). Without this step, running the security_database.sql script will fail!

  4. Connect the restored security database as SYSDBA and run the script.

  5. Stop the Firebird service.

  6. Copy the upgraded database to the Firebird 2 home directory as security2.fdb.

  7. Restart Firebird.

Now you should be able to connect to the Firebird 2 server using your old logins and passwords.

Nullability of RDB$PASSWD

In pre-2.0 versions of Firebird it was possible to have a user with NULL password. From v.2.0 onward, the RDB$PASSWD field in the security database is constrained as NOT NULL.

However, to avoid exceptions during the upgrade process, the field is created as nullable by the upgrade script. If you are really sure you have no empty passwords in the security database, you may modify the script yourself. For example, you may edit the line:

  RDB$PASSWD RDB$PASSWD,
        

to be

  RDB$PASSWD RDB$PASSWD NOT NULL,
        

Caution with LegacyHash

As long as you configure LegacyHash = 1 in firebird.conf, Firebird's security does not work completely. To set this right, it is necessary to do as follows:

  1. Change the SYSDBA password

  2. Have the users change their passwords (in 2.0 each user can change his or her own password).

  3. Set LegacyHash back to default value of 0, or comment it out.

  4. Stop and restart Firebird for the configuration change to take effect.

Prev: Classic Server on POSIXFirebird Documentation IndexUp: Security in Firebird 2Next: Command-line Utilities
Firebird Documentation IndexFirebird 2.0.6 Release NotesSecurity in Firebird 2 → Dealing with the New Security Database