Informix

 View Only
Expand all | Collapse all

Informix and Single Sign-on Configuration

  • 1.  Informix and Single Sign-on Configuration

    Posted Mon April 27, 2020 03:16 PM
    Hello everyone,

    Can you please share your experience (good, bad, feedback, gotchas) with Informix Single Sign-on feature?

    I have always used the good old Unix/Linux host accounts as Informix has been supporting by default.  It looks like I cannot avoid the single sign-on much longer as I have a requirement to "make Informix authentication work like Microsoft SQL Server's integrated Windows Authentication".  I do need to be able to identify the client login back in the database in triggers etc. so I want to make sure the single sign-on feature does carry the client login all they way throughout (and this already generates a question for me about how the existing grants etc. would work and whether or not they would need to be re-done - I know, RTFM!).

    Thank you,

    Hal Maner
    M Systems International, Inc.


    #Informix


  • 2.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Tue April 28, 2020 09:37 AM

    Hey, Hal!

    I've been using it for a while now, because it really does simplify management once you get used to it. The big thing to understand is that when you set up PAM to work with IDS, "implicit connections" may not work for such connections in the way you might be used to. For people accessing from remote tools or programs, this isn't a problem. But it may give you grief with cron jobs and the like, as well as for users who have direct shell access. For this reason, I recommend setting up two listener ports, one that's PAM-enabled and one that uses the traditional connection methods. That latter will only work for service accounts (i.e., ones that are local to the machine and exist in /etc/passwd), but will come in handy for cron jobs and the like.

    It also gets tricky if you use the Connection Manager. For Connection Manager SLAs servicing PAM-enabled ports, you need to set up an encrypted password file using the onpassword utility so that the CM can connect via that port (since it must explicitly provide a username and password). See the doc for that. I'm not super-comfortable with it, but it is what it is.

    I'll save you some trouble and give you my ifmx-auth file, which should have pretty close to the bare necessities to get it to work:

    auth required pam_env.so
    auth required pam_faildelay.so delay=2000000
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_winbind.so use_first_pass
    auth required pam_deny.so
    
    account required pam_unix.so broken_shadow
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account required pam_permit.so

    You need to be careful here, because some of the default Linux PAM configuration files (e.g., password-auth) include a line that will cause the system to prompt for password changes when a password is set to expire, and IDS has no idea what to do with that request, so it just sends the password again -- which is promptly logged in clear text to the system log. That's, uhh, bad. The file above has that line removed and the issue is corrected for us now. ;)

    Then, when you've got that file created (/etc/pam.d/ifmx-auth on CentOS/Red Hat), you add this to the end of a pam-enabled sqlhosts entry:

    my-dbserver          onsoctcp        myhost.mydomain.com     my_service_entry       s=4,pam_serv=(ifmx-auth),pamauth=(password)


    Hope this helps, and şerefe!



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 3.  RE: Informix and Single Sign-on Configuration

    Posted Tue April 28, 2020 12:23 PM

    Thank you Tom!

     

    Hal

     






  • 4.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Tue April 28, 2020 10:18 AM
    Edited by System Fri January 20, 2023 04:51 PM

    I did a presentation in 2016 on getting this to work with Active Directory. Look it up or make Link go find it. :)

    Also, existing grants should be fine, but if you have a conflict between the passwd file and the AD it will behave unpredictably. So you'll probably need to delete the local accounts for anyone who's transitioning to SSO.



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 5.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 03:05 AM
    Hi Tom,

    could you post a public link to your presentation? I just found two presentations you held at the IIUG conference 2018 and 2019 talking about other topics.

    Kind Regards

    ------------------------------
    Roland Wintgen
    DBA, Genero/4GL Developer
    EVG Martens GmbH & Co. KG
    Moenchengladbach
    ------------------------------



  • 6.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Wed April 29, 2020 09:14 AM

    IIUG rules do not allow you to provide a public link, the IIUG forced me to close down my website that shared the presentations, all index, searchable etc

     






  • 7.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 09:37 AM
    OK, but the slides for previos IIUG World events are available here (https://www.iiug.org/previous.php). So, in which year the presentation was held? Sorry, but I'm too lazy to search through all of the slides.

    Kind regards

    ------------------------------
    Roland Wintgen
    DBA, Genero/4GL Developer
    EVG Martens GmbH & Co. KG
    Moenchengladbach
    ------------------------------



  • 8.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 09:40 AM
    I also tried to find Tom's presentation and I could not.

    I also could not get it in LinkedIn, Tom, even though we are connected (maybe that is user error on my part, I don't know).

    Hal





  • 9.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 10:18 AM

    Folks,

     

    At IIUG, we are considering to build a searchable space in the space of virtually all the IIUG Conf presentations.

    If you are in favour of such a functionality, please let us know

     

     

     






  • 10.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Wed April 29, 2020 10:23 AM

    Had all that years ago but the IIUG made me take it down J

     






  • 11.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 10:38 AM

    Yes, in favor (I would be surprised if anyone does not want this asap).

     

    Hal

     






  • 12.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Wed April 29, 2020 10:36 AM
    The year was 2016, but I don't have a way to share publicly.

    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 13.  RE: Informix and Single Sign-on Configuration

    IBM Champion
    Posted Wed April 29, 2020 10:49 AM
      |   view attached

    Lookie there, I found it! Sometimes it pays to be a pack rat!

    Important updates since 2016:

    • On slide 7, do not use the password-auth method I list there, because it hits the security issue I mentioned above. Use the ifmx-auth I provided in my original reply.
    • Also, on slide 8, most modern installations don't require the gid-to-sid step. You can just put the name of the group in the require_membership_of line.
    • I'm glad I found this, because I forgot about the stuff on Slide 9!
    • The first part of Slide 10 may no longer be accurate in current releases. I'd like to learn from others here whether implicit connections work for you now.
    • Slide 11, you also need to install oddjob if it's not already installed
    • Disregard Slides 12-13 entirely. It never worked all that well, and there's a much better way.

    Kinda looks like I need to update this presentation for the next IIUG, whenever that ends up being.

    ------------------------------
    TOM GIRSCH
    ------------------------------

    Attachment(s)



  • 14.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 10:54 AM

    Thank you Tom!

     

    Hal

     






  • 15.  RE: Informix and Single Sign-on Configuration

    Posted Wed April 29, 2020 10:59 AM
    Great, thank your very much.

    Kind regards

    ------------------------------
    Roland Wintgen
    DBA, Genero/4GL Developer
    EVG Martens GmbH & Co. KG
    Moenchengladbach
    ------------------------------