I'm trying to connect a user to my company's postgreSQL Server to access a postgres database via MS Access 2019. Connection should be established via ODCB driver. I manage the following server via Plesk and Webmin: webmin_systemsettings networking_settings
Here are the permissions of the user via Plesk, they're the same as every other user: plesk_permissions
I have close to zero information as to how the current configurations are, because, surprise, the former head of IT just left without any documentation. I'm also not a professional programmer, so please bear with me.
Goals:
The user should be able to connect to SQL server (running CentOS Linux 8.3.2011) to access a database on the server. As long as the user uses the initial password specified via Plesk and Webmin, it works fine. Mind you, this is the SAME password that is used for Win authentification AND for accessing the database via ODCB driver.
Decouple ODCB driver authentification, Windows authentification and SQL server authentification.
Problems:
If user changes Win authentification password, the server connection fails. This also breaks the connection to the ODCB driver and results in an authentification error when testing the SQL connection via ODCB administration. This should not be the case and is a massive security issue.
With another test user, I am able to successfully complete the ODCB authentification, but I still get a connection error:
timeout error 3151: ODCB connection to 'database' failed
ODBC connection to 'database' failed as well as a DLookup bug via VBA:
Lbl_Name.ControlTipText = DLookup("[numberofuser]", "User", "[CompanyName] = '" & fOSUserName & "'")
Solutions I have tried:
- updating ODBC driver to current version compatible with MS Access 2019 (running Win10 64bit)
- changing password back to initial start password (both in postgreSQL from unix shell as well as via Plesk, Webmin)
- Hardcoding ODCB authentification credentials via the Windows registry
The ODCB driver seems to be somehow using Windows authentification with a stored password, but I don't know how/where to change that. How do I locate the source of the DLookup error?
I'm very thankful for any hints or suggestions how to fix this.
Well, the first decision - one that you have to set in stone?
Does the server (and the database) support windows authentication, or not?
It REALLY is a simple issue and answer. Either yes it does, or you can make this decision.
Seems to me, that if you can use windows authentication , then you should. That way, you don't deal with any passwords in Access client side. You should be able to re-link the Access tables (with windows authentication choice), and you are really done. It will not matter if users change their passwords, since you on a domain, and management of windows logons is done and managed by the domain server.
This choice ALSO means that you don't have to mess with, nor create, nor bother creating users (and their passwords) on the sql server side of things.
So, either the above choice is made (or can be made), or it cannot.
Now, often, especially if the server is hosted, or off site, then of course you don't have the choice of using windows authentication.
Well, you mixing up a few things. If you can choose windows authentication, then link your tables using that - change of passwords, adding new users, removing them will not require any client side changes, nor re-linking of tables, nor will you require to mess with, or bother with passwords when linking the access tables.
So, it not clear why you would not want to choose ODBC driver to use windows authentication , since then you are done - and never have to change anything at all.
If you are NOT to use windows authentication, then you adding users and their passwords to the database system, and they will have ZERO ZERO to do with their windows logon. They don't know or care about each other. On the other hand, if you using database logons, then in most cases, users can't change their passwords - I suppose you COULD add some form to Access that lets them change their passwords.
And another common approach?
Well, you create ONE sql server logon, and use and link the tables with that one user. This sql server is NEVER known, NEVER seen, or never worry about by end users. this choice does not effect that we OFTEN pick up the computer name (workstation name), and the current logged on user name - and save that into the Access table for history, or logging, or say even who last modified the record in question. (and it not clear if this information is being used now????).
So, it is VERY common that if you don't have the windows authentication choice fo the sql server, then we OFTEN link using one user we created for this purpose.
Thus, we link the front end (accDB) with this one user. We then compile the AccDB down to a accDE. And then that front end is distributed to all work stations. As long as each work station has the correct drivers (for postgres), then no further work station configuration should be required.
This zero work station configuration is achieved by using what we call DSN-less connections in access for the linked tables. In fact, if you link using the default prompts (launching the ODBC config from access), then the default choice is to create a FILE dsn. If you choose that, then when you are done linking, your table links ARE in fact dsn-less. At that point, you can distribute the front end to any workstation on your network, and it should just work - and work without re-linking and work without any database or passwords prompts.
So VERY imporant that when you link the tables, you choose that FILE dsn option. This choice as noted assumes you created ONE logon on the sql server, and that all users with their FE copy will thus receive a pre-linked database based on this ONE user on sql server.
As noted, this works well, and my experience is that most access applications are still able to freely pick up the workstation name (computer name), and ALSO are able to pick the up the current logged on user - and that information is then often saved in a record. So, in this case, we don't care that all users are using the ONE and SAME sql logon, since all code and forms and data operations that need anything to do with one use is picked up by the access applcation anyway.
The next issue:
Improved security
Few realize that you can link the tables WITHOUT having to include the user/password. This knowledge is a HUGE deal for two big reasons:
It means you can prompt for user + password on access applcation startup, and NOT have to re-link the tables. However, as noted, I tend to find that most applications are designed and assume that all workstations use the one sql logon - assuming non windows auth choice.
It also vast increase security, since linked tables in Access store/save the user/password in plain text - and often in plane text/view to the user. So, by linking tables without user + password, then we plug a security hole and issue.
How above works? You link tables without user + password, but BEFORE you link the tables, you execute a logon in Access. Once you execute a valid sql logon (sql server, Oracle, MySQL, Postgress - don't matter), then at that point in time, WHEN and AFTER that valid logon has occurred, then you are free to link the tables, and free to do so WITHOUT including the user + password in those linked tables.
This means that on applcation startup, after you executed that logon, then all linked tables will work. If you don't execute that logon then the linked tables will not work.
However, you have to make a decision here. Either you use windows authenticaiton or you do not (or you can't).
That means THEN that users and passwords have ZERO to do with windows, and their logons. And since that means zero, then they can change their windows logon etc., but you don't care, don't know, and can't care. (since we using sql server logons). So, if you use sql logons, then this issue is 100% separate from each user and their windows logon. As I stated, as a result of this issue, in most cases then ONE sql logon is used, and you link the tables and setup the linked tables based on this assumption.
so, you want to delete your table links or at the very least re-link them, and re-link them using a FILE dsn. Once you done this, then that front end can be deployed to any work station. The user should not get any logon prompt from ODBC.
Note that during the table linking process, ONLY on FIRST time and ONLY on create of the table link, you see a prompt to rememeber password. If you skip or miss this option, then you always will get a ODBC logon prompt before your linked tables will work.
That check box is this one during the table linking process:
If you skipped above, then you get that ODBC logon each time you launch access.
However, as noted, you can link tables without the user + password, and recommend you consider that option. This means you WILL have to execute that one time logon on application startup.
How to do this is explained here:
https://www.microsoft.com/en-us/microsoft-365/blog/2011/04/08/power-tip-improve-the-security-of-database-connections/