Archive for June, 2012

Authenticating Internal Users with PAM

User authentication could be relatively complex issue when it comes to home-grown information systems. You usually need some sort of directory to hold the user data and handle the actual authentication, and you need Informix (or OS) to be aware of those user somehow. This became much easier with internal users feature which was introduced in 11.7.
Assuming that you have a PAM module on your system used to authenticate users, here’s a quick to-do list on how to set up user management using internal users feature on Unix. The same procedure on Linux defers in OS PAM configuration and user handling. You’ll need a root access in order to create user and edit allowed.surrogates and pam.conf files.

First, we’re going to configure internal users. Enable the feature in you onconfig by setting:

USERMAPPING BASIC

Do not set this parameter to ADMIN unless you want to give some of the authenticated users administrative privileges.

Now we need a surrogate user. That’s an OS user whose system properties will all authenticated users take:

useradd -d /home/ifxsurr -s /bin/sh ifxsurr

Specify that this user can be used as a surrogate for Informix:

mkdir /etc/informix
cd /etc/informix
vi allowed.surrogates

Put the single line in the file:

USERS:ifxsurr

And set the read permissions:

chmod 644 allowed.surrogates

In order to obtain PAM authentication, you need a PAM module on your machine. Let’s say the library is /opt/mycompany/lib/mypam.so.

Create a DBSERVERALIAS to be used for PAM authentication. Add new alias in onconfig file:

DBSERVERALIASES myserver_pam

Now add new line in your $INFORMIXSQLHOSTS file (we’re going to use PAM only for password authentication):

myserver_pam   protocol   ip   port   s=4,pam_serv=(ids_pam_service),pamauth=(password)

This service should be added in PAM configuration file (/etc/pam.conf). Make sure to add both auth and account facilities (thanks to Dave Desautels for pointing this out):

ids_pam_service auth sufficient /opt/mycompany/lib/mypam.so
ids_pam_service account sufficient /opt/mycompyny/lib/mypam.so

As for the configuration, this is it. The only thing left to do now is to add users and set the appropriate permissions on the system.

CREATE USER "john.doe@example.com" with properties user "ifxsurr";
GRANT CONNECT TO "john.doe@example.com";
...

Now, imagine that you have a PAM that can authenticate on some external service (e.g. Google or Facebook account), and your business policy would allow it, this seems like a nice way to avoid user authentication part of the system all together…

Advertisements

, , ,

Leave a comment