I'm writing an application to manage AD permissions groups.
However, some fields which are needed like "Primary Owner", "Secondary Owner, "Date Reviewed" and historical logs are not in AD.
I'm planning on having a separate SQL Server database to hold this data and using the Group's System ID to join the data.
My question is: Can I have the SQL Server database be synchronized with what is in AD upon changes in AD? Perhaps some listening tool exists? Can LDAP be used to solve this?
A problem which can arise if the database is updated nightly is if a new group is created in AD, primary and secondary owners need to be assigned to it, but the
SID of the new group will not be immediately in the SQL Server Database.
I'm not familiar with SQL Server, so I cannot tell whether it has some special capability to synchronize with AD.
What I know is that there are a few different solutions if you want to track changes in AD using LDAP. You can find an overview of the available techniques in this MSDN article.
I've recently open-sourced ADSync4J, a small Java library that can help you implementing the third technique mentioned in that article (Polling for Changes Using USNChanged). However it won't be of much help if your target platform is not the JVM.
We use a console application written in C# which is run on a batch to read the AD information and insert it into a SQL table. This could be done in almost any language with LDAP bindings but depending on the size of your AD catalog could be performance prohivative.
There does seem to be a way to query directly with SQL (although with some caveats, namely maximum result set size and no support for multi-value parameters). Many articles exist on this from a quick google search such as; https://www.mssqltips.com/sqlservertip/2580/querying-active-directory-data-from-sql-server/
Related
I want to know if it's posible to share SQL Server SESSION CONTEXT variables between different Azure Sql databases using Elastic Queries.
I searched in official documentation but i can't found any information about this feature is available or not.
SESSION CONTEXT exists locally to a single server instance in SQL Server. (It's tied to a session). SQL Azure is built using SQL Server but there are some parts of the mapping that are opaque to customers (they can change based on circumstances such as what Edition you use or what version of the internal software we are using to deliver the service).
Elastic Queries is a feature to let you query from one database (source) to one or more other databases (target(s)). In such a model, you have a SQL Server session to the source database, and the elastic query has a separate connection/session to each other database being touched.
I think the question you are asking is "can I set the session context on the source connection/session and have it flow through to all the target connections when running queries there?" (That's my best guess - let me know if it is different). The answer today is "no" - the session variables do not flow from source to target as part of the elastic query. Also, since today elastic query is read-only, you can't use elastic query to set the session context individually on each target database connection/session as part of the operation.
In the future, we'll consider whether there is something like this we can do, but right now we don't have a committed timeline for something like this.
I hope this explains how things work a bit under the convers.
Sincerely,
Conor Cunningham
Architect, SQL
Good day all,
I am studing the following case:
Scenario: An application connects to the production database(SQL server 2008) using a generic "SA" user instead of the domain user. This is making traces\logs\organization harder, because everything is flagged as done by SA user!
NOTE: In the application the domain user/password is used, the generic account is only regarding to the database.
Questions: What would be the best pratice in this case? every user should have an account to log in the database? (sql using windows authentication) there are +- 500 users is that an issue regarding to database performance? or a generic account is indicated?
Many thanks!
As others have mentioned, Active Directory and Windows Authentication might be more appropriate if that's an option. But if not...
If the application has a central place that creates the connection & transaction prior to update, you may be able to use SET CONTEXT_INFO to pass along the "real" application user while still using a shared SQL account for the login.
Then in your auditing triggers you can pull the information back out again using the CONTEXT_INFO() function
This is the approach used by at least one commercial auditing tool
See also similar SO questions here and here which reference context_info and a blog post Exploiting Context_Info for Fun and Audit which gives an NHibernate example.
Nitpick on something else in your question: you said it's using sa user. Maybe that was just an example, but probably the application should not have so many rights on the server. Create a user with only the rights needed for the particular database(s) that application uses. This limits the impact of any future security vulnerability (e.g. SQL Injection) in your application. And to take it one step further, you might have one connection string with a read-only user account, and then at the point where you create a transaction to update data, switch to a connection string with the read/write user account. You still get most of the benefits of connection pooling, but you limit even further the impact of any application-tier bugs.
We are working on a licensing system for a client-server application where the only server component is a database (no application server). We would like to issue licenses to a particular server that cannot be installed on any other server or transferred via backup/restore. The idea is to generate a unqiue identifier via a T-SQL query and then use public/private signing to return an activation token that works only for that identifier.
Is there a way to uniquely identify a SQL Server, in a repeatable way, using only T-SQL (without a CLR stored proc or function)? For example, is there some retrievable, unique value that is created when the instance is installed?
Edit: Maybe the MAC part of NEWSEQUENTIALID() would work (see this method). If the system fails over in a cluster/failover setup, or if the primary LAN adapter is changed, it could enter a "grace period" during which it will continue to operate until re-activated on the new hardware. The question is whether this is "unique enough."
Even if you get a unique ID a potential problem is validation at T-SQL. The database is not validated. What if they hack the T-SQL and remove the activation part. Does the customer use T-SQL directly or do you have a client application. If you have a client application then why is CLR not an option. It was crack-able but I worked with an application that generated a hash of server name on the install and stored it in the database. Then the client would compare the stored hash to the dynamic hash to determine if it was on another server. Problem was if the server name was the same then it could be beat and the hash algorithm was on the client application so with effort it could be exposed.
Adian I wish I could thank you for answering my questions.
If you look in sysObjects and other systems tables/views I think you can find something to uniquely identify a server and database. Like on a restore to another server you have to delete the user and and recreate the user even though the name is the same the internal id is different. If they restored the master and application database they might be able to make everything identical but they would have to know to do that. On the base install SQL may generate a unique id somewhere as it makes sense Microsoft would want a unique id for replication, other features, and licensing.
We're using SQL 2005 and want to identify individual users so we can trace their SQL for performance purposes, but we're finding it hard to unique identify who is who.
We're using SQL 2005 with connection pooling so every user has the same user in the Activity Monitor. Their NT user name doesn't appear to be set - maybe because we're using SQL Server users not domain users, we're also using Citrix so there is no individual IP address set. In this (very common) environement how do you identify an individual user?
If everyone is using the same username and coming from the same IP you won't be able to tell them apart. Unless you're using windows authentication MSSQL won't even be told what username on windows the user connecting has.
Have you considered changing your setup so that it uses Windows Authentication? It seems like the logical solution to the problem. Either that or setting up separate logins for everyone on SQL but that'd be duplicating your Active Directory user list...
In order to identify users in SQL Profiler, you need to provide that information to SQL Server in some way with each request or as part of the connection context. One way is to connect as different users, but if you have thousands of users, you would need thousands of accounts (SQL Auth or Windows Auth), and it becomes unmanageable quickly.
A much better way is to set the Application Name parameter in the connection string to be the name of the user. Once set, you can filter on that field in SQL Profiler: Data Source=.;Initial Catalog=Northwind;Integrated Security=SSPI;Application Name=RickNZ
The disadvantage with this approach is that connection pooling (which is enabled by default) only shares connections when the connection strings are byte-for-byte identical. So if you make them different per user, then you will have many more connections, with a resulting impact on performance. In a heavily multi-threaded environment, there's also a possibility that you could run out of available pooled connections. Even so, it might be useful for short-term debugging.
Solved the problem by tracking the Client Process Id in Sql Profiler. We can identify a particular user and their PID from within Citrix, or Task Manager in a normal setup. Then filter the output in Sql Profile by that PID.
This is brilliant when you're working on a DB but don't have access to the source of the application. Often standard reports need to be changed, SP's fixed etc, but if you don't know what's being run it's a needle in a haystack - use Sql Profile to track a user, capture the Sql, analyse/debug - fix move on.
It seems like something like this should exist, but I have never heard of it and would find such a utility to be incredibly useful. Many times, I develop applications that have a database backed - SQL Server or Oracle. During development, end users of the app are encouraged to test the site - I can verify this by looking for entries in the database...if there are entries, they have been testing...if not, they haven't.
What I would like is a tool/utility that would do this checking for me. I would specify the Database and connection parameters and the tool would pool the database periodically (based on values that I specify) and alert me if there was any new activity in the database (perhaps it would pop up a notification in the system tray). I could also specify multiple database scenarios to monitor in the tool. If such an app existed, I wouldn't have to manually run queries against databases for new activity. I'm aware of SQL Profiler, but when I reviewed it, it seemed like overkill for what I wanted to do (and it also wouldn't do the Oracle DB monitoring). Also, to use SQL Profiler, you have to be an admin of the database. I would need to monitor databases where I only have a read-only account.
Does someone know if such a tool exists?
Sounds like something really easy to write yourself. Just query the database schema, then do a select count(*) or select max(lastUpdateTime) query on each table and save the result. If something is different send yourself an email. JDBC in Java gives you access to the schema information in a cross-database manner. Don't know about ADO.