Understanding LDAP or MS Active Directory authentication and Informix
Darren...@carmax.com
Greetings,
I'm hoping someone understands what is necessary to enable LDAP or AD
authentication with Informix. I'm trying to understand if a specific
database ID w/connect needs to be present or if a user is part of a group
in LDAP/AD, connect can be granted to the group name in the DB. I'm having
a hard time believing that a DB ID does not exist in the DB.
Or if I'm just not understanding what is required to make LDAP work, could
some explain it to me.
IDS 9.40 FC2 or FC8
HPUX 11.11
Thanks for any insight you can provide.
Andrew Ford
through PAM by adding the following options to my server's sqlhosts entry
s=4,pam_serv=(system_auth),pamauth=(password)
You can find some more info here:
http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?topic=/com.ibm.admin.doc/admin02.htm
I'm still testing the functionality myself, not sure how/if it will work
under HP/UX and still not sure if I've configured LDAP via PAM correctly but
it appears to work.
Andrew
> _______________________________________________
> Informix-list mailing list
> Inform...@iiug.org
> http://www.iiug.org/mailman/listinfo/informix-list
Darren...@carmax.com
I'm just trying to understand what type of user id is needed in the
database to support an LDAP/AD user.
Does that make sense?
"Andrew Ford"
<aford@networkip.
net> To
<inform...@iiug.org>,
03/07/2007 02:04 <Darren...@carmax.com>
PM cc
Subject
Re: Understanding LDAP or MS Active
Fernando Nunes
> PAM is not available for 9.40 FCx on HPUX 64 bit which is a problem for me.
> I'm just trying to understand what type of user id is needed in the
> database to support an LDAP/AD user.
>
> Does that make sense?
>
IDS will use OS authentication. If HPUX/64 allows for OS users to be authenticated in a LDAP server this should work for Informix.
Currently there is no user id inside the database server.
PAM allows for other ways to authenticate users (only limited by the availability of PAM itself and the appropriate module(s) )
I believe that 10.00.FC6 may support PAM on HP-UX (PA-RISC) but the machine notes are not on the page yet.
For 10.00.FC5 on HP-UX (Itanium) the machine notes ( http://publib.boulder.ibm.com/epubs/html/22963440.html ) state it supports PAM.
If you think PAM could help, you can contact support for clarification.
For OS/LDAP integration maybe this will help:
http://docs.hp.com/en/internet.html#LDAP-UX%20Integration
--
Fernando Nunes
Portugal
http://informix-technology.blogspot.com
My email works... but I don't check it frequently...
Martin Fuerderer
that is (unfortunately) true. As far as I know, IDS supports PAM
on HP-UX, but only HP-UX 32-bit (on PA-Risc that is).
One possibility to get this to work anyway is to find some software
that does LDAP authentication transparently. In the standard scenario
(no PAM) IDS uses normal system library calls to retrieve OS user
information (normally from /etc/passwd and /etc/shadow) and
do the check.
There are some implementations existing that let these normal
system library calls do an LDAP look-up very much the way
NIS/NIS+ works. This would be transparent to the IDS server and
thus would work with IDS.
I've never searched for and much less tried any such things for
HP-UX. So you will have to do some research yourself.
Regards,
Martin
--
Martin Fuerderer
IBM Informix Development Munich, Germany
Information Management
Sorry, but the following text is now required by German law:
IBM Deutschland GmbH
Vorsitzender des Aufsichtsrats: Hans Ulrich Maerki
Geschäftsführung: Martin Jetter (Vorsitzender), Rudolf
Bauer, Christian Diedrich, Christoph Grandpierre,
Matthias Hartmann, Andreas Kerstan
Sitz der Gesellschaft: Stuttgart
Registergericht: Amtsgericht Stuttgart, HRB 14562
WEEE-Reg.-Nr. DE 99369940
Darren...@carmax.com
Thanks for the response and link. I believe I have a handle on how the
user would be authenticated to the OS.
I guess my confusion is how do you manage db object permssions in the db if
the user does not exist. Someone mentioned that the user would connect via
public. I'm hoping that the correct way to handle this is through the
sysusers db. Each LDAP user would belong to a groupname in the sysauth
table. Therefore, you would grant perms on the objects to the groupname,
ie, LDAP user djacobs belonging to the groupname 'accounting' could be
granted perms on a specific set of accounting tables. Public would not
have these perms.
Thanks
Fernando Nunes
<sp...@domus.onlin
e.pt> To
Sent by: inform...@iiug.org
informix-list-bou cc
nc...@iiug.org
Subject
Re: Understanding LDAP or MS Active
03/07/2007 08:56 Directory authentication and
PM Informix
http://docs.hp.com/en/internet.html#LDAP-UX%20Integration
--
Fernando Nunes
Portugal
Davorin Kremenjas
news:mailman.351.117329429...@iiug.org...
> In Linux I can get the Informix engine to authenticate a user via LDAP
> through PAM by adding the following options to my server's sqlhosts entry
>
> s=4,pam_serv=(system_auth),pamauth=(password)
>
> You can find some more info here:
>
> http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?topic=/com.ibm.admin.doc/admin02.htm
>
> I'm still testing the functionality myself, not sure how/if it will work
> under HP/UX and still not sure if I've configured LDAP via PAM correctly
> but it appears to work.
>
> Andrew
Andrew,
please tell us when you test it.
I tried to setup IDSv10+PAM+LDAP on Linux 32-bit, but no success.
I'm sure it's something stupid I'm missing, since I had no problems with
PAM+LDAP authentication for some other services.
Thanks.
Davorin
Mark Jamison
FYI,
IDS supports 64Bit PAM beginning in 10.00.FC6
da...@smooth1.co.uk
> Fernando,
>
> Thanks for the response and link. I believe I have a handle on how the
> user would be authenticated to the OS.
>
> I guess my confusion is how do you manage db object permssions in the db if
> the user does not exist. Someone mentioned that the user would connect via
You don't, the user has to exist in the OS otherwise the
permissions for public are used.
> public. I'm hoping that the correct way to handle this is through the
> sysusers db. Each LDAP user would belong to a groupname in the sysauth
> table. Therefore, you would grant perms on the objects to the groupname,
> ie, LDAP user djacobs belonging to the groupname 'accounting' could be
> granted perms on a specific set of accounting tables. Public would not
> have these perms.
Nope, the username is used.
Andrew Ford
LDAP user authentication via PAM on 32 bit Linux.
1. Verify the LDAP defined account can login to the server running Informix
2. Verify /etc/pam.d/system-auth exists
3. Modify $INFORMIXSQLHOSTS or $INFORMIXDIR/etc/sqlhosts
<dbservername> <protocol> <hostname/ipaddress> <service>
s=4,pam_serv=(system_auth),pamauth=(password)
4. Bounce the Informix engine
5. Try and connect to the server via dbaccess using an LDAP account
> dbaccess
(C)onnect->Select Database Server->Enter User Name->Enter
Password->Select Database
This should get you started.
This also may be useful if you run want to run SQL via dbaccess in the
background (non-interactive mode) with an LDAP user.
-- test.sql
connect to testdb@testserv user ldapuser using ldappasswd;
select * from testtab;
> dbaccess - test.sql
I've also found that if you want to perform distributed queries you need to
setup the sysusers:sysauth table.
Andrew
----- Original Message -----
From: "Davorin Kremenjas" <davorin....@alfatec.hr>
Newsgroups: comp.databases.informix
To: <inform...@iiug.org>
Sent: Thursday, March 08, 2007 7:55 AM
Subject: Re: Understanding LDAP or MS Active Directory
authenticationandInformix
Davorin Kremenjas
> What problems are you running into? This is how I was able to get basic
> LDAP user authentication via PAM on 32 bit Linux.
> 1. Verify the LDAP defined account can login to the server running
> Informix
> 2. Verify /etc/pam.d/system-auth exists
> 3. Modify $INFORMIXSQLHOSTS or $INFORMIXDIR/etc/sqlhosts
> <dbservername> <protocol> <hostname/ipaddress> <service>
> s=4,pam_serv=(system_auth),pamauth=(password)
> 4. Bounce the Informix engine
> 5. Try and connect to the server via dbaccess using an LDAP account
> > dbaccess
> (C)onnect->Select Database Server->Enter User Name->Enter
> Password->Select Database
> This should get you started.
Andrew,
I did exactly as you wrote.
I have a test user, only in LDAP, not on the OS at all, it can successfully
login to the server running Informix.
It can also connect to test database using dbaccess, both from the same
machine, and from few other ones.
But I'm currently unable to connect through JDBC (Server Studio for
example), I get "-951: Incorrect password or user..."
I'll investigate further...
Davorin Kremenjas
> example), I get "-951: Incorrect password or user..."
An update: not JDBC's fault: I can now connect through my own JDBC app after
RTFMing Informix JDBC manual and this forum topic:
http://www-128.ibm.com/developerworks/forums/dw_thread.jsp?message=13870617&cat=19&thread=134825&treeDisplayType=threadmode1&forum=548#13870617
Still cannot connect through ServerStudio but now I guess it's just a matter
of setting the classpath.
Ian Michael Gumby
Here's why...
Not only is IDS PAM friendly, but the OS is PAM friendly too.
So you could set up your OS to do the authentication via PAM and IDS will
inherit this.
The other issue is the "challenge/response" set up. PAM lets you do things
the way *you* want to.
You don't necessarily have to have a "challenge/response". (Ok, LDAP yes,
but other methods no.)
So if you wanted to write your own PAM module that checks an Informix
Database for the ability to connect that mimics the UNIX/Linux OS
authentication, you could still use the regular JDBC drivers.
Does that make sense?
-G
>From: "Davorin Kremenjas" <davorin....@alfatec.hr>
>To: inform...@iiug.org
>Subject: Re: Understanding LDAP or MS Active
>DirectoryauthenticationandInformix
>Date: Mon, 12 Mar 2007 14:10:40 +0100
>MIME-Version: 1.0
>Received: from perform.iiug.org ([216.177.38.211]) by
>bay0-mc11-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon,
>12 Mar 2007 06:15:50 -0700
>Received: from localhost (localhost [127.0.0.1])by perform.iiug.org
>(Postfix) with ESMTP id 33A7BA19F;Mon, 12 Mar 2007 08:15:29 -0500 (EST)
>Received: from perform.iiug.org ([127.0.0.1])by localhost (perform.iiug.org
>[127.0.0.1]) (amavisd-new, port 10024)with ESMTP id FHjvWDwLkp6d; Mon, 12
>Mar 2007 08:15:18 -0500 (EST)
>Received: by perform.iiug.org (Postfix, from userid 60001)id 1771DA18F;
>Mon, 12 Mar 2007 08:15:17 -0500 (EST)
>Received: from perform.iiug.org (localhost [127.0.0.1])by perform.iiug.org
>(Postfix) with ESMTP id 5180BA18E;Mon, 12 Mar 2007 08:15:07 -0500 (EST)
>X-Message-Info: LsUYwwHHNt3xNtIbzr5UeyT2wf52quvdqgmxIhZdggQ=
>X-Virus-Scanned: amavisd-new at iiug.org
>Path:
>nnrp.xmission!xmission!nntp.infostrada.it!newsfeed01.sul.t-online.de!newsfeed00.sul.t-online.de!t-online.de!newsfeed.t-com.hr!news3.t-com.hr!not-for-mail
>Newsgroups: comp.databases.informix
>Organization: T-Com
>Lines: 10
>References:
><OFB9E6FA74.D2DBF497-ON852572...@carmax.com><mailman.351.117329429...@iiug.org><esp4l9$70o$1...@ss408.t-com.hr><mailman.372.117345836...@iiug.org><et3dpu$b25$1...@ss408.t-com.hr>
>NNTP-Posting-Host: 89-172-43-196.adsl.net.t-com.hr
>X-Trace: ss408.t-com.hr 1173705037 27458 89.172.43.196 (12 Mar 2007
>13:10:37GMT)
>X-Complaints-To: ab...@t-com.hr
>NNTP-Posting-Date: Mon, 12 Mar 2007 13:10:37 +0000 (UTC)
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
>X-RFC2646: Format=Flowed; Response
>Xref: nnrp.xmission comp.databases.informix:196234
>X-BeenThere: inform...@iiug.org
>X-Mailman-Version: 2.1.6
>Precedence: list
>List-Id: "comp.databases.informix" <informix-list.iiug.org>
>List-Unsubscribe:
><http://www.iiug.org/mailman/listinfo/informix-list>,<mailto:informix-l...@iiug.org?subject=unsubscribe>
>List-Archive: <http://www.iiug.org/pipermail/informix-list>
>List-Post: <mailto:inform...@iiug.org>
>List-Help: <mailto:informix-l...@iiug.org?subject=help>
>List-Subscribe:
><http://www.iiug.org/mailman/listinfo/informix-list>,<mailto:informix-l...@iiug.org?subject=subscribe>
>Errors-To: informix-l...@iiug.org
>Return-Path: informix-l...@iiug.org
>X-OriginalArrivalTime: 12 Mar 2007 13:15:51.0196 (UTC)
>FILETIME=[8E88C5C0:01C764A8]
>_______________________________________________
>Informix-list mailing list
>Inform...@iiug.org
>http://www.iiug.org/mailman/listinfo/informix-list
_________________________________________________________________
Get a FREE Web site, company branded e-mail and more from Microsoft Office
Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/