Informix

nested-group-icon.png

DB2

Expand all | Collapse all

Authentication Methods

  • 1.  Authentication Methods

    Posted Tue August 18, 2020 01:15 AM

    Hi,

    I have been trying to figure out methods to cover off a couple of security requirements but cant seem to come up wioth anything workable. So I was wondering if anyone else had resolved these types of issues without emptying their wallet or chewing of their arm.

    Apart from 3 tier appserver stuff I have:
    users who only access databases via odbc who have an account on the underlying server which is Solaris.
    users external to the organisation who also connect via odbc and have accounts for password.

    The reason I make a distinction between the two is that internal users exist in our Active Directory and resolve to everything else including linux with AD credentials. If I could make this work on Solaris then I would probably only talking about the second case

    External users will never be in our AD so they would have to have a seperate system for managing expiring passwords etc. Because they cant log into the Solaris server they have no way to change their password even if we wanted them to.

    So I wondered if anyone had any ideas or methods they have used in the past.



    ------------------------------
    David Peters
    ------------------------------


  • 2.  RE: Authentication Methods

    Posted Tue August 18, 2020 10:10 AM
    Hi David.

    Your ODBC users don't have to exist in Solaris if your IDS version is new enough: see CREATE USER. You'll need an application where users can change their password, etc., otherwise administrators can do this in SQL.

    ------------------------------
    Doug Lawry
    Oninit Consulting
    ------------------------------



  • 3.  RE: Authentication Methods

    Posted Tue August 18, 2020 06:56 PM
    Edited by David Peters Tue August 18, 2020 06:58 PM

    Thanks Doug.

    I guess what I am really after is the ability to move the authentication for our solaris based instances to AD. Even after logging calls with Oracle and multiple rounds of testing and failure it seems that you would have to sell your soul to someone elses angel to make it work. (Or install some kind of bridge between the two). Their answer ultimately was to use LDAP which is a whole other kettle of fish.

    We have 70+ instances and most of our apps are 2 tier client/server spatial systems using odbc. We have approximately 70 instances each of which have different users. One in particular has 300 external users. In other cases we have users that work across multiple instances and hence need to have the same password and expiry etc.. 

    I had read articles here and there about Informix having the ability to authenticate using pam. In my mind this would allow us to abstract the Informix db authentication and the authentication provider. eg Solaris is setup to authenticate to AD and Informix is setup to authenticate through pam on the OS.

    I had wondered if Informix on Linux would authenticate via pam however getting off solaris and onto Linux is major exercise in itself.

    Our Informix version is 12.10.FC5



    ------------------------------
    David Peters
    ------------------------------



  • 4.  RE: Authentication Methods

    Posted Wed August 19, 2020 05:46 AM
    Hi David.

    I'm not an expert on AD for Informix, but there should be others on this forum who are. Kerberos is used to integrate it and is covered in the IDS documentation:

    https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sec.doc/ids_sso_001.htm

    This also looks useful:

    https://render-prd-trops.events.ibm.com/sites/default/files/support/swg/dmgtech.nsf/0/85256dd00053125a85257643004db419/$FILE/IDS-SSO-Windows-AD.pdf

    ------------------------------
    Doug Lawry
    Oninit Consulting
    ------------------------------



  • 5.  RE: Authentication Methods

    Posted Wed August 19, 2020 08:47 AM
    If reading this right you'd need LDAP on Solaris for your internal users, with AD being the LDAP server;  with this the users could still log onto Solaris directly (if that's a requirement), the users would, from Informix' perspective, exist on Solaris with all required properties (user, pw, group(s), $HOME), so you might not even need any change on Informix level (no PAM required)  -  if the encrypted pw from AD LDAP server uses the same encryption that Informix would use on user provided pw, so comparison can work.

    For those external users I think you first need to make up your mind where you'd want those to reside.
    Informix level users (CREATE USER) probably won't be the right choice as those users exist (and need to be maintained) per instance only.
    I'm finding it interesting, though, that those external users will never be in AD  -  why? Wouldn't a company have best control over externals through centralized credentials system?

    ------------------------------
    Andreas Legner
    ------------------------------



  • 6.  RE: Authentication Methods

    Posted Thu August 20, 2020 12:30 AM
    Thanks guys.

    The reason that external users are not on the domain is that they are for all intents and purposes customers who use our data but do not have access to our network. Their only access is through a firewall that only allows the informix ports through. If they were in AD then they would have no way to change their password  if it expired. 

    I think I am back to looking for ldap servers or bridges that include password self management.

    The SSO method listed does look interesting for internal users. I'll go research some more.

    ------------------------------
    David Peters
    ------------------------------