[Info-Ingres] User authentication failed to ingres DB through JDBC
Ingres Forums
Hi,
When I try to conenct to a ingres DB through JDBC, I am getting the
following error
Code:
--------------------
SQLException : ca.edbc.util.EdbcEx: User authorization check failed.
Your user identifier was not known to this installation.
Contact your system manager for further assistance.
--------------------
Can someone help me in resolving the problem
--
madhukarmad84
------------------------------------------------------------------------
madhukarmad84's Profile: http://community.ingres.com/forum/member.php?userid=15372
View this thread: http://community.ingres.com/forum/showthread.php?t=11371
_______________________________________________
Info-Ingres mailing list
Info-...@kettleriverconsulting.com
http://ext-cando.kettleriverconsulting.com/mailman/listinfo/info-ingres
Ingres Forums
Is the user you are connecting as defined as a valid Ingres user in your
target installation?
--
teresa
------------------------------------------------------------------------
teresa's Profile: http://community.ingres.com/forum/member.php?userid=26
Mike Leo
On Nov 18, 2009, at 12:38 PM, Ingres Forums wrote:
>
> Ingres requires two things to complete a connection to a database (by
> default anyway):
> - A valid operating system login and password. (Default is old style
> passwords but you can now use PAM)
> - The login is defined as a valid ingres user by the installation
> administrator, usually via accessdb.
>
This is one of my biggest pet peeves. Why does
Ingres require that you have either an OS account
or some sort of directory service account (same thing)
to let you connect to the database?
This is madness. No other database requires this.
This is part of the reason I can fire up a Linux stack and have
developers
coding against, deploying to, and testing on a MySQL or Postgres
server in
about 5 minutes.
Why can you associate a password with the "Ingres user" if you can't
even use
it to authenticate remotely.
Part of getting people to use your software is making it very easy to
use.
The authentication in Ingres is not only complicated, it is more
LIMITED than
any other DBMS.
Cheers,
Mikey
Martin Bowes
> This is one of my biggest pet peeves. Why does Ingres require that you
have either an OS account
or some sort of directory service account (same thing) to let you
connect to the database?
..etc...
I'd have to ask why you think its complicated Mike. It seems to me that
either OS authentication or authentication using an installation
password is pretty simple.
Apart from which, I want people to be authenticated before they access
my installations or databases.
Marty
Ingres Forums
Sorry, I didn't understand what is "valid Ingres user in your target
installation"
I have updated the user as a valid ID using accessdb command and
granted all the permissions to the user
Still having the same problem.
Thanks,
Madhu
--
madhukarmad84
------------------------------------------------------------------------
madhukarmad84's Profile: http://community.ingres.com/forum/member.php?userid=15372
Ingres Forums
JDBC authenticates in the same way as Ingres/Net. You may need your user
to be an OS user.
--
denjo02
------------------------------------------------------------------------
denjo02's Profile: http://community.ingres.com/forum/member.php?userid=702
Mike Leo
On Nov 19, 2009, at 2:42 AM, Martin Bowes wrote:
> Hi Mike,
>
>> This is one of my biggest pet peeves. Why does Ingres require that
>> you
> have either an OS account
> or some sort of directory service account (same thing) to let you
> connect to the database?
> ...etc...
>
> I'd have to ask why you think its complicated Mike. It seems to me
> that
> either OS authentication or authentication using an installation
> password is pretty simple.
>
> Apart from which, I want people to be authenticated before they access
> my installations or databases.
>
> Marty
>
Marty,
I can get ANYTHING to work if I try hard enough. MySQL is just easier
and faster. That is part of its attraction.
I have a few Oracle installations that have thousands of users and
not one of them has an OS account or an entry in any kind of directory
service. Not all of these users are people. Quite a few people have
different users for different roles.
One day, the network services branch of the company decided the entire
company was going to move from Novell directory services to Active
Directory.
I had nothing to do. They didn't bother to tell me ahead of time. And
in
that department, they have strict IT best-practices that each account
has
to be approved through management, etc.
Too many moving parts.
And tell me what I do for VMS sites? How's that PAM authentication
for VMS
coming along? Oh, not til' next year? Hmmm .... can we wait?
Mikey
Roy Hann
> [snip] And in that department, they have strict IT best-practices that
> each account has to be approved through management, etc.
Well playing the Devil's advocate for a moment, I could say that no
resource is more sensitive nor more valuable than the business data. So
is it any kind of best-practice to permit access to it without
management approval and at least the same level of scrutiny as
required for access to the spreadsheets and print servers?
--
Roy
UK Ingres User Association Conference 2010 will be on Tuesday June 8 2010
Go to http://www.iua.org.uk/join to get on the mailing list.
Ingres Forums
The user I have used to connect is a OS user
--
madhukarmad84
------------------------------------------------------------------------
madhukarmad84's Profile: http://community.ingres.com/forum/member.php?userid=15372
Mike Leo
> Mike Leo wrote:
>
>> [snip] And in that department, they have strict IT best-practices
>> that
>> each account has to be approved through management, etc.
>
> Well playing the Devil's advocate for a moment, I could say that no
> resource is more sensitive nor more valuable than the business
> data. So
> is it any kind of best-practice to permit access to it without
> management approval and at least the same level of scrutiny as
> required for access to the spreadsheets and print servers?
>
> --
> Roy
>
Well, playing the Devil's advocate for a moment, how is spreading
your authentication concerns among several parties make it more secure?
I guess with that logic, we should make Ingres authentication even
MORE difficult to make it MORE secure.
Making Ingres harder to use is NOT a feature. No matter how much
management spin you through at it.
And it doesn't make it more secure.
I'm not sure I can sell my customers on Ingres saying that
"It is REALLY hard to setup and manage authentication, but it is WAY
more secure than SQL Server!"
Not only is that not going to fly, but the second half of the
statement is untrue.
Cheers,
Mikey
Roy Hann
> On Nov 19, 2009, at 8:16 AM, Roy Hann wrote:
>
>> Mike Leo wrote:
>>
>>> [snip] And in that department, they have strict IT best-practices
>>> that
>>> each account has to be approved through management, etc.
>>
>> Well playing the Devil's advocate for a moment, I could say that no
>> resource is more sensitive nor more valuable than the business
>> data. So
>> is it any kind of best-practice to permit access to it without
>> management approval and at least the same level of scrutiny as
>> required for access to the spreadsheets and print servers?
> Well, playing the Devil's advocate for a moment,
Great, now the Devil's advocates are arguing with each other. :-) He's
f***ed.
> how is spreading
> your authentication concerns among several parties make it more secure?
Good idea.
> I guess with that logic, we should make Ingres authentication even
> MORE difficult to make it MORE secure.
Well of course delegating authentication does introduce more moving
parts and perhaps more difficulty. It would be nice if the Ingres
system admin could choose between simple-and-vulnerable or
difficult-and-secure at install time. In all seriousness I *would* want
the secure option available, and if it has to be difficut, so be it.
> Making Ingres harder to use is NOT a feature. No matter how much
> management spin you through at it.
I think you are setting up a bit of a straw man there. Security and
authentication controls never make things easier, and no one ever tries
to pass off the difficulty as a benefit; it is usually considered a cost
or a necessary evil in return for security. (Gosh, I sound like one of
the robots who design airport security! Not sure I like that.)
> And it doesn't make it more secure.
Security by inconvenience isn't secure. But I struggle to think of an
effective security control that is convenient.
> I'm not sure I can sell my customers on Ingres saying that
>
> "It is REALLY hard to setup and manage authentication, but it is WAY
> more secure than SQL Server!"
Depends on the customer I guess. I have a couple who would be very
receptive to that kind of argument. But as I say, perhaps one should
have choice of difficulty/security.
> Not only is that not going to fly, but the second half of the
> statement is untrue.
I defer to your expertise on that one.
Grant Croker
> This is one of my biggest pet peeves. Why does
> Ingres require that you have either an OS account
> or some sort of directory service account (same thing)
> to let you connect to the database?
>
> This is madness. No other database requires this.
>
> This is part of the reason I can fire up a Linux stack and have
> developers
> coding against, deploying to, and testing on a MySQL or Postgres
> server in
> about 5 minutes.
>
> Why can you associate a password with the "Ingres user" if you can't
> even use
> it to authenticate remotely.
>
> Part of getting people to use your software is making it very easy to
> use.
> The authentication in Ingres is not only complicated, it is more
> LIMITED than
> any other DBMS.
>
>
http://community.ingres.com/wiki/DBMS_Authentication_Workarounds
g
--
Grant Croker, Ingres Corp
Ingres PHP and Ruby maintainer
http://blogs.planetingres.org/grant
Gods don't like people not doing much work. People who aren't busy all the time might start to think.
-- Terry Pratchett, Small Gods
Grant Croker
> On 18/11/09 20:01, Mike Leo wrote:
>> This is one of my biggest pet peeves. Why does
>> Ingres require that you have either an OS account
>> or some sort of directory service account (same thing)
>> to let you connect to the database?
>>
>> This is madness. No other database requires this.
>>
>> This is part of the reason I can fire up a Linux stack and have
>> developers
>> coding against, deploying to, and testing on a MySQL or Postgres
>> server in
>> about 5 minutes.
>>
>> Why can you associate a password with the "Ingres user" if you can't
>> even use
>> it to authenticate remotely.
>>
>> Part of getting people to use your software is making it very easy to
>> use.
>> The authentication in Ingres is not only complicated, it is more
>> LIMITED than
>> any other DBMS.
>>
> It is possible, see
> http://community.ingres.com/wiki/DBMS_Authentication_Workarounds
>
http://community.ingres.com/wiki/Remove_The_Need_For_Operating_System_User_and_Password
Mike Leo
On Nov 19, 2009, at 9:48 AM, Grant Croker wrote:
> On 18/11/09 20:01, Mike Leo wrote:
>> This is one of my biggest pet peeves. Why does
>> Ingres require that you have either an OS account
>> or some sort of directory service account (same thing)
>> to let you connect to the database?
>>
>> This is madness. No other database requires this.
>>
>> This is part of the reason I can fire up a Linux stack and have
>> developers
>> coding against, deploying to, and testing on a MySQL or Postgres
>> server in
>> about 5 minutes.
>>
>> Why can you associate a password with the "Ingres user" if you can't
>> even use
>> it to authenticate remotely.
>>
>> Part of getting people to use your software is making it very easy to
>> use.
>> The authentication in Ingres is not only complicated, it is more
>> LIMITED than
>> any other DBMS.
>>
>>
> It is possible, see http://community.ingres.com/wiki/DBMS_Authentication_Workarounds
>
> g
>
> --
> Grant Croker, Ingres Corp
Gang,
I've totally failed here. I'm not looking to avoid using a password.
I just want to, FROM SQL ONLY, create a REGULAR USER that can connect
remotely
using a username and password only.
CREATE USER mikey IDENTIFIED BY 'mikeypassword';
GRANT ALL ON DATABASE mikeysdatabase TO mikey;
I want to do it on one step, like every other database on the planet.
I'm not talking about an application server. I'm not talking about
saving 5
seconds for myself while setting up something for some developer.
I'm talking about a developer who wants to try out Ingres. He wants
to connect to his
Linux box and type:
sudo su - root
yum install ingres
service start ingres
createdb mydatabase
echo "CREATE USER mikey IDENTIFIED BY 'mikeypassword';GRANT ALL ON
DATABASE mikeysdatabase TO mikey; \\g" | sql iidbdb
All done. Developer can work. No questions asked. No understanding of
30 years of esoteric security requirements from a dozen operating
systems.
Mikey
Mike Leo
If I do this, can anyone connect as an Ingres super user without a
password? I mean locally?
I don't get it.
Mikey
Grant Croker
>
> I'm not sure I understand this. I read it twice.
>
> If I do this, can anyone connect as an Ingres super user without a
> password? I mean locally?
>
> I don't get it.
>
> Mikey
>
username. It was added whilst we were at CA to attempt to solve the
Ingres user = valid OS user problem for the CA products using Ingres.
g
Ingres Forums
madhukarmad84;28679 Wrote:
> Hi,
>
> When I try to conenct to a ingres DB through JDBC, I am getting the
> following error
>
>
> >
Code:
--------------------
> > SQLException : ca.edbc.util.EdbcEx: User authorization check failed.
> Your user identifier was not known to this installation.
> Contact your system manager for further assistance.
--------------------
> >
>
>
> Can someone help me in resolving the problem
Hi madhukarmad84,
As others may have alluded to, the problem is that the user specified
in the connection is not known to Ingres. For example if you are
connecting using the following JDBC URL
Code:
--------------------
jdbc:edbc://server:WV7/dbname;UID=bob;PWD=secret
--------------------
The message is saying that the user -bob- is not defined/does not exist
in Ingres. Like wise you would get the same message if passing the
username/password via a property.
Can you provide some more information about your setup? For example:
- Version of Ingres (see $II_SYSTEM/ingres/version.rel (UNIX) or
%II_SYSTEM%\ingres\version.rel (Windows))
- The application you are trying to connect with
If you have system administrator access for Ingres you can add your
user using one of the following commands:
UNIX:
Code:
--------------------
echo create user bob\\p\\g | sql iidbdb
--------------------
Windows:
Code:
--------------------
echo create user bob\p\g | sql iidbdb
--------------------
Changing -bob- to the user you are trying to connect as.
I hope this helps a bit more...
--
grant
------------------------------------------------------------------------
grant's Profile: http://community.ingres.com/forum/member.php?userid=37
Mike Leo
On Nov 19, 2009, at 10:40 AM, Grant Croker wrote:
> On 19/11/09 17:21, Mike Leo wrote:
>>
>> I'm not sure I understand this. I read it twice.
>>
>> If I do this, can anyone connect as an Ingres super user without a
>> password? I mean locally?
>>
>> I don't get it.
>>
>> Mikey
>>
> The null mechanism allows you to connect to Ingres using any valid
> username. It was added whilst we were at CA to attempt to solve the
> Ingres user = valid OS user problem for the CA products using Ingres.
>
> g
>
So ... what about the password? If I run the procedure you mention
do I need a password to connect to the user 'ingres' ?
It is still very unclear.
Mikey
Grant Croker
>
> So ... what about the password? If I run the procedure you mention
> do I need a password to connect to the user 'ingres' ?
>
> It is still very unclear.
>
As you are aware there are/can be two passwords for accessing Ingres
(ignoring roles), an OS validated password and a DBMS password setup
using accessdb or the CREATE/ALTER USER statement.
In a standard Ingres installation the GCF (General Comms Facility)
authentication mechanism will take the user/password pair supplied via
JDBC/.NET/ODBC/Python/PHP/Ruby/Ingres NET and validate it against the
operating system or an external source such LDAP/PAM. When the "null"
mechanism is used/enabled this OS/system password check does not happen.
All we do is verify that the user you are connecting as is a known
Ingres user. You would get the same effect I believe on UNIX/Linux if
you set II_SHADOW_PWD=/bin/true. With this setup you can connect to
Ingres as a known Ingres user, say 'ingres', and then proceed to take
over the world.
Adding a DBMS password when creating a user using:
CREATE USER mikey WITH PASSWORD = 'secret'
will require that the dbms password for mikey is presented at connect
time. Existing accounts can have password added using the statement:
ALTER USER mikey WITH PASSWORD = 'secret'
This in effect gives you the ability to authenticate against Ingres
directly without the need to have the user setup in the local operating
system or in a directory service such as AD or LDAP.
hope this is a bit clearer
regards
grant
--
Grant Croker, Ingres Corp
Ingres PHP and Ruby maintainer
http://blogs.planetingres.org/grant
If you put butter and salt on it, it tastes like salty butter.
-- Terry Pratchett, Moving Pictures (regarding popcorn)
Mike Leo
That is TREMENDOUSLY clear. A wiki entry in the making.
Thank you greatly,
Mikey