If reading this right you'd need LDAP on Solaris for your internal users, with AD being the LDAP server; with this the users could still log onto Solaris directly (if that's a requirement), the users would, from Informix' perspective, exist on Solaris with all required properties (user, pw, group(s), $HOME), so you might not even need any change on Informix level (no PAM required) - if the encrypted pw from AD LDAP server uses the same encryption that Informix would use on user provided pw, so comparison can work.
For those external users I think you first need to make up your mind where you'd want those to reside.
Informix level users (CREATE USER) probably won't be the right choice as those users exist (and need to be maintained) per instance only.
I'm finding it interesting, though, that those external users will never be in AD - why? Wouldn't a company have best control over externals through centralized credentials system?
------------------------------
Andreas Legner
------------------------------
Original Message:
Sent: Tue August 18, 2020 06:56 PM
From: David Peters
Subject: Authentication Methods
Thanks Doug.
I guess what I am really after is the ability to move the authentication for our solaris based instances to AD. Even after logging calls with Oracle and multiple rounds of testing and failure it seems that you would have to sell your soul to someone elses angel to make it work. (Or install some kind of bridge between the two). Their answer ultimately was to use LDAP which is a whole other kettle of fish.
We have 70+ instances and most of our apps are 2 tier client/server spatial systems using odbc. We have approximately 70 instances each of which have different users. One in particular has 300 external users. In other cases we have users that work across multiple instances and hence need to have the same password and expiry etc..
I had read articles here and there about Informix having the ability to authenticate using pam. In my mind this would allow us to abstract the Informix db authentication and the authentication provider. eg Solaris is setup to authenticate to AD and Informix is setup to authenticate through pam on the OS.
I had wondered if Informix on Linux would authenticate via pam however getting off solaris and onto Linux is major exercise in itself.
Our Informix version is 12.10.FC5
------------------------------
David Peters
Original Message:
Sent: Tue August 18, 2020 10:09 AM
From: Doug Lawry
Subject: Authentication Methods
Hi David.
Your ODBC users don't have to exist in Solaris if your IDS version is new enough: see CREATE USER. You'll need an application where users can change their password, etc., otherwise administrators can do this in SQL.
------------------------------
Doug Lawry
Oninit Consulting
Original Message:
Sent: Tue August 18, 2020 01:14 AM
From: David Peters
Subject: Authentication Methods
Hi,
I have been trying to figure out methods to cover off a couple of security requirements but cant seem to come up wioth anything workable. So I was wondering if anyone else had resolved these types of issues without emptying their wallet or chewing of their arm.
Apart from 3 tier appserver stuff I have:
users who only access databases via odbc who have an account on the underlying server which is Solaris.
users external to the organisation who also connect via odbc and have accounts for password.
The reason I make a distinction between the two is that internal users exist in our Active Directory and resolve to everything else including linux with AD credentials. If I could make this work on Solaris then I would probably only talking about the second case
External users will never be in our AD so they would have to have a seperate system for managing expiring passwords etc. Because they cant log into the Solaris server they have no way to change their password even if we wanted them to.
So I wondered if anyone had any ideas or methods they have used in the past.
------------------------------
David Peters
------------------------------
#Informix