>From: Ramesh G Srinivasan <ramesrin@in.ibm.com>


>Return-Path: informix-list-bounces@iiug.org
>X-OriginalArrivalTime: 21 Mar 2007 05:21:34.0433 (UTC)
>FILETIME=[CAB31510:01C76B78]
>
>Andrew,
>
>There is support for Informix on PAM.
>
Sort of.
Depends on which version of the engine you happen to be running.
I found out the hardway that IDS 10.0 didn't support 64bit PAM.

>The pre-req for using PAM is:
>
>1) make an entry in sqlhosts file
>2) write a module and register it on server side
>3) call the module from client.
>

Well that's the "high" level story, but I don't think it will help you very
much.

First, you didn't say what version of IDS, and which OS platform the engine
was on.

Second....
"Write a module and register it on the server side is a bit simplistic.".

The user is on PC A. Your windows network authentication is being done on
Server A.
IDS is running on an UNIX/Linux server (Server B).

When you connect to IDS, you are going to be asked for an ID and a password.
IDS will then authenticate via PAM or the OS depending on the settings in
$INFORMIXDIR/etc/sql.hosts

If its PAM, then your module will have to either interrogate the Windows
Network Server with the username/password, or the token information
indicating that USER A has already been authenticated and logged in.

So the communication between your PC and IDS is not going to be straight
forward.
Then the communication between the PAM module and your Windows
authentication server is also not so crystal clear.

(You're asking that the user logs in to his PC and then when he wants to run
an application from his PC, he doesn't have to reauthenticate in order to
run.)

I would suggest you break this down in to two problems.

1) Having IDS use PAM to interrogate the windows authentication system using
a given user name and password.

2) Having the same system pass in some sort of authentication token to
validate against.

The beauty of PAM, you can create or screw up your own security as much as
you like. ;-)

-G

PS. What happens if someone logs in to their PC and then walk away? ;-)

__________________________________________________ _______________
i'm making a difference.*Make every IM count for the cause of your choice.
Join Now.
http://clk.atdmt.com/MSN/go/msnnkwme...urce=hmtagline

Ian Michael Gumby wrote:
>> From: Ramesh G Srinivasan <ramesrin@in.ibm.com>
>>
>> There is support for Informix on PAM.
>
> Sort of.
> Depends on which version of the engine you happen to be running.
> I found out the hardway that IDS 10.0 didn't support 64bit PAM.

Not generally true - I believe that there was one platform (either HP-UX
or AIX) of which that was true, and that was mostly oversight rather
than any major technical reason.

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2005.02 -- http://dbi.perl.org/

Jonathan Leffler wrote:
> Ian Michael Gumby wrote:
>>> From: Ramesh G Srinivasan <ramesrin@in.ibm.com>
>>>
>>> There is support for Informix on PAM.
>>
>> Sort of.
>> Depends on which version of the engine you happen to be running.
>> I found out the hardway that IDS 10.0 didn't support 64bit PAM.
>
> Not generally true - I believe that there was one platform (either HP-UX
> or AIX) of which that was true, and that was mostly oversight rather
> than any major technical reason.
>

AFAIK all latest 10.00 (FC6) versions support PAM in AIX, HP-UX (Itanium and PA), SUN, Linux...


--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...