Hi all,I am going to setup SSO authentication for Informix ODBC connections in AIX.Followed a lot of instructions to configure PAM (pam_serv, pamauth, s=4) or Kerberos (CSM, s=7) failed, so I appreciate any help on my project.I cancelled to proceed with this manual (http://informix-technology.blogspot.com/2007/11/informix-user-authentication-pam-for.html) due to deprecated SFU (Services For UNIX package) since Windows Server 2012. So need an alternate to achieve my goal.Time ago I already implemented Kerberos for OS authentication against Active Directory - would like to implement the same or similar method for ODBC.Each attempt using ODBC failed to connect.Would you recommend using PAM or Kerberos to tie ODBC? Or do you have other suggestions?Is there a possibility to combine PAM and KRB5?Some system details:AIX 7.2 + KRB5 authentication (working fine)Informix 12.1 + Instance for trial and errorWhen neccessary I'll provide my configurations (methods, sqlhosts, onconfig, env or what else you need)Best regards,Theo (Pilk)
Hi,Returned from Whatsapp... I read the post several times, and each time I get the same feeling: I'm confused.And it's not really your fault, except in one point: You don't mention your needs. Just want you tried, or intend to try.And you have several concepts in your post, and then there are others that may be good to bring into the table. Let me try to break it in smaller parts...1) Single sign on is for people who don't want to keep inserting the same password for each application. This seems a no-brainer (is there anyone who likes to repeat the authentication?!) but it's usually much more complex to setup. I don't think I ever heard about SSO without Kerberos2) PAM is a flexible framework for authentication. It uses a stack of modules, each doing some "simple" validation, and the final result depends on the configuration for each module and the success of each one3) The article you mention is a simple example to use PAM for authentication against an LDAP server (in particular Active Directory). It doesn't cover single sign on. SFU was required at the time to add the "unix attributes" to the LDAP structure of Active Directory. It's not clear to me if current AD versions already include it or not, but if you have AIX authenticating in AD, that's probably solved.4) Informix traditionally has the need that the user is recognized by the operating system. This comes from the need to have the user identity for at least three actions:
a) SYSTEM() stored procedure command
b) Debug file creation in stored procedures (when using TRACE)c) SET EXPLAIN files
This means, again, traditionally that even if you configure authentication externally (PAM), it will fail if the OS doesn't recognize the user.
The reason why I mention "traditionally" is because in 11.7 (xC3 I think) this changed as we have the ability to create mapped users (internal users, which can have external authentication, and which we can "map" to OS user(s)).
5) You ask if PAM and Kerberos can be configured together... I never configured Informix for SSO with kerberos, but assuming there's a kerberos PAM module (I'm sure it exists) I'd say, it would be possible, as long as the kerberos protocol doesn't need anything from the client. But this would need to be proven...
Now.... Before you start showing configs or making further tests I would suggest you decide which path to go:1) Do you need/want to avoid password insert at the Informix application? That would mean SSO. Or do you simply want to avoid creating the users locally?2) Does you application use the end user name to authenticate on the database?3) If you want/need SSO, do you want to "enrich" your authentication protocol to do something fancy like force different criteria for the authentication to complete (besides the user/password, things like "this user cannot connect outside business hours", or "I want to deny auth to users in a specific file" etc.? Yes to this would point to PAMFor "simple" SSO with kerberos you should follow the links:
https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sec.doc/ids_sso_004.htm#ids_sso_004https://www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.ibm.sec.doc/ids_sso_012.htmThis doesn't use PAM.If you feel you need to use PAM, I would first try to setup "simple" PAM against AD, and the article may help.
Once you understand how PAM works, you can try to add the kerberos module.NEVER TEST PAM within the database server. Always use an external client to test it.
Unfortunately I don't have an AD to run tests against it...Waiting for further feedbackRegards.