Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read


End of Support Dates

IIUG on Facebook IIUG on Twitter

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum

RE: how to setup PAM Kerberose on IDS 10.FC6

Posted By: Jim Cramer
Date: Wednesday, 23 May 2007, at 11:59 a.m.

In Response To: RE: how to setup PAM Kerberose on IDS 10.FC6 (Nilesh Ozarkar)

Nilesh,

You are right. The change that you suggest is a better
way to test if PAM is functioning with pam_unix (/etc/passwd
file) as the authetication service and, at the same time,
to test if the Kerberos authentication service is also working.

Thank you for pointing that out.

I just found out what is going on and why PAM on the IDS 10.x
server was not working. Please see my next post, which is
a reply to an earlier post of yours on this topic.

Regards,

Jim

> -----Original Message-----
> From: ids-bounces@iiug.org [mailto:ids-bounces@iiug.org] On
> Behalf Of Nilesh Ozarkar
> Sent: Monday, May 21, 2007 6:31 PM
> To: ids@iiug.org
> Subject: RE: how to setup PAM Kerberose on IDS 10.FC6 [9208]
>
> Hi Jim,
>
> Looking at your /etc/pam.conf I see that pam_pass service is
> stacked (same service name with 3 entries) and control_flag
> (3rd field - which determines the behavior of stacking) is
> set to 'required' for all. So if any one of that module fails
> PAM will return failure. I suggest you update control_flag
> for Kerberos module to 'optional' that way even if it fails
> it's error is ignored and your basic test to validate PAM in
> password mode using pam_unix will succeed.
>
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth required libpam_krb5.so.1 debug
>
> change to
>
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth optional libpam_krb5.so.1 debug
>
> For more details on stacking and control_flag refer to 'man pam.conf'
>
> Regards,
>
> Nilesh
>
> ids-bounces@iiug.org wrote on 05/18/2007 03:58:49 PM:
>
> > Hi Nilesh (or Martin F, or anyone who has used PAM with IDS),
> >
> > Thanks for answering my question about PAM and for the
> suggestion of
> > using libpam_unix.so and the /etc/password as a test that the basic
> > PAM framework functionality is working before I move on to trying
> > krb5.
> >
> > Unfortunately, this test did not work. In fact, I have
> added the debug
> > keyword after my PAM library in pam.conf and I have configured my
> > syslog.conf file to log DEBUG-level messages.
> > When I then connect to the server I do not get any messages
> logged in
> > syslog.log. It is as though IDS is not even trying to use
> PAM. I must
> > be missing something basic here. Can you help?
> >
> > Here is the hpux 11.23 Itanium /etc/pam.conf configuration I used
> > (note, I do have the TAB character after pam_pass and after
> > "auth_required":
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth required libpam_krb5.so.1 debug
> >
> > and here is my sqlhosts entry:
> > tidsidcard onsoctcp xxx.xxx.xx.xx sqltidsidcard
> > s=4,pam_serv=(pam_pass),pamauth=(password)
> >
> > Also, at the end of your message below you said:
> > "BTW, what type of client you are using (ESQLC/ODBC/JDBC) ?
> does that
> > client version support PAM or not ? "
> >
> > but you also said in response to my point (3) below that if
> I am using
> > PAM Password Mode and my client explicitly connects with
> the password,
> > that my client does not need any modifications to support
> PAM in this
> > way.
> >
> > Your "BTW..." stmt seems to contradict what you said in
> your answer to
> > (3). I am probably just confused.
> >
> > I am trying to test PAM with the I-Connect and DBPing from Windows
> > CSDK 2.70.
> >
> > Again, even though that version is old and does not
> "support PAM", it
> > should not have to unless I use PAM Challenge Mode.
> >
> > Is my understanding of this still correct?
> >
> > Thank you for your help,
> >
> > Jim Cramer
> > Univ of Iowa
> >
> > > -----Original Message-----
> > > From: ids-bounces@iiug.org [mailto:ids-bounces@iiug.org]
> On Behalf
> > > Of Nilesh Ozarkar
> > > Sent: Wednesday, May 09, 2007 10:31 PM
> > > To: ids@iiug.org
> > > Subject: Re: how to setup PAM Kerberose on IDS 10.FC6 [9112]
> > >
> > > ids-bounces@iiug.org wrote on 05/09/2007 01:49:46 PM:
> > >
> > > > Hi Martin Fuerderer (and anyone else who is kind enough
> > > >
> > > > to help out),
> > > >
> > > > Last Oct, you posted the below note to the ids@iiug list
> > > about how to
> > > > setup PAM for Informix IDS server.
> > > >
> > > > I am trying to get PAM working on IDS and need some help.
> > > > I have tried but keep getting this message in online.log:
> > > > "listener-thread: err = -952: oserr = 0: errstr =
> > > >
> > > > jcramer@a-coe002.engr.uiowa.edu: User
> > > >
> > > > (jcramer@a-coe002.engr.uiowa.edu)'s
> > > >
> > > > password is not correct for the database server."
> > > >
> > > > I am using:
> > > > IDS 10.00.FC6
> > > > HP-UX B.11.23 U ia64
> > > >
> > > > 1) I am trying to use pam_krb5 authentication via our Kerberos
> > > > Security Server
> > > >
> > > > 2) I am trying to use IDS in the PAM "Simple Password
> > > Authentication"
> > > > pamauth mode
> > > >
> > > > 3) I want to use my existing client's without modification. My
> > > > understanding is that they need modification only when PAM is
> > > > operating in the "Challenge" pamauth mode and that the Krb5
> > > > authentication service does not utilize a
> > > Challenge-Response behavior.
> > > > Thus, I assumed that none of my clients will require
> > > modification in
> > > > order to use IDS-PAM this way.
> > > >
> > > > Is this assumption correct?
> > >
> > > Yes [But, in case of password mode, application should connect
> > > explicitly with password.]
> > >
> > > >
> > > > 4) HPUX has an hpux-specific PAM module called
> pam_hpsec. It's man
> > > > page says
> > > >
> > > > "The use of pam_hpsec is mandatory for services like login,
> > > > dtlogin,
>
> > > >
> > > > ftp, remsh/rexec and ssh. It is required that these
> services stack
> > > >
> > > > this module on the top of the stack above one or more
> non-optional
> > > >
> > > > modules such as pam_unix, pam_krb5, or pam_ldap. Application
> > > > writers
>
> > > >
> > > > and system administrators must consider whether it is
> appropriate
> > > > to
>
> > > >
> > > > use pam_hpsec for any given application. This module is
> specific
> > > > to
> > > >
> > > > HP-UX, and the functionality may vary significantly between
> > > releases.
> > > >
> > > > Do you know if this is required for IDS, which in my
> case is the
> > > > "application that they are referring to", in order to use PAM?
> > >
> > > No. [although you could use it with IDS if you want to.]
> > >
> > > >
> > > > 5) From what little I have found on IDS PAM from the
> IBM/Informix
> > > > support site, IIUG site, developerWorks, various
> Informix-related
> > > > blogs, I found one reference which claims that something
> > > needs to be
> > > > put in the IDS concsm.cfg file when using PAM. It is in the IBM
> > > > Redbook:
> > > > http://www.redbooks.ibm.com/abstracts/sg247299.html?Open
> > > >
> > > > on page 250, 2nd paragraph under section 8.5.1.
> > > >
> > > > Is this true??? If so, is there a reference to PAM-specific
> > > > configurations in concsm.cfg. The IDS10 Admin Guide/Ref
> > > does not have
> > > > anything about PAM in it's section on this file.
> > > > I have not found any other IDS PAM references to using
> this file.
> > >
> > > No, concsm.cfg is not needed for PAM.
> > > It's needed only if you want to enable password encryption or
> > > network (client/server communication) encryption.
> > >
> > > >
> > > > Here is my configuration:
> > > >
> > > > In sqlhosts I have:
> > > > tidsidcard onsoctcp xxx.xxx.xxx.xxx sqltidsidcard
> > > > s=4,pam_serv=(ifmx),pamauth=(password)
> > > >
> > > > In /etc/pam.conf I have:
> > > > ifmx auth required
> /usr/lib/security/hpux64/libpam_krb5.so.1 debug
> > > >
> > >
> > > I don't have Kerberos setup but I tried using
> libpam_unix.so.1 and
> > > it worked.
> > > Here is my config looks like.
> > >
> > > ---/etc/pam.conf---
> > > idspam auth required libpam_unix.so.1
> > >
> > > ---sqlhosts.pam---
> > > ol_nilesho onsoctcp hpia64 999101
> > > s=4,pam_serv=(idspam),pamauth=(password)
> > >
> > > Could you try using libpam_unix.so.1 ? cause if that work then
> > > problem could be related to Kerberos setup or libpam_krb5.so.1
> > > module itself.
> > > BTW, what type of client you are using (ESQLC/ODBC/JDBC)
> ? does that
> > > client version support PAM or not ?
> > >
> > > Regards,
> > >
> > > - Nilesh -
> > >
> > > > Thanks for any assistance that you can provide.
> > > >
> > > > Jim Cramer
> > > > University of Iowa
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ------------
> > >
> > >
> > > > Hi,
> > > >
> > > > sorry for late reply ... :-(
> > > >
> > > > Following is an example about how to do a basic setup. It's a
> > > > cut&paste from an internal www-page that I once created on this
> > > > topic. I hope it is readable and understandable
> > > > anyway:
> > > >
> > > > --------------------------------------------------------------
> > > > OS Setup for PAM
> > > >
> > > > PAMs typically reside as shared libs in /usr/lib/security. The
> > > > configuration for each PAM is in /etc/pam.conf. On
> Linux however,
> > > > if directory /etc/pam.d exists, then each module has its own
> > > > configuration file in this directory and /etc/pam.conf
> is ignored.
> > > >
> > > > The following example illustrates a possible
> configuration for a
> > > > single PAM:
> > > >
> > > > The service name of the PAM is "pam_chal"
> > > > and the shared library implementing it is
> > > > /usr/lib/security/pam_chal.so. The configuration for this PAM
> > > > service consists of the following two lines:
> > > >
> > > > pam_chal <TAB> auth required <TAB>
> /usr/lib/security/pam_chal.so
> > > > pam_chal <TAB> account required <TAB>
> > > > /usr/lib/security/pam_chal.so
> > > >
> > > > where <TAB> denotes a tab character. This may be
> necessary, since
> > > > it could be possible that the middle parameter in the line
> > > > consists of only one token, which might confuse the parser when
> > > > reading the configuration. These two lines are in
> /etc/pam.conf.
> > > > On Linux, if the directory /etc/pam.d exists, they should be
> > > > placed in file /etc/pam.d/pam_chal.
> > > >
> > > > IDS Setup for PAM
> > > >
> > > > To make a specific IDS server name PAM-enabled, a new set of
> > > > additional parameters is used in the sqlhosts file for
> this server
> > > > name. The parameters are:
> > > >
> > > > s=4,pam_serv=(...),pamauth=(...)
> > > >
> > > > Example 1:
> > > >
> > > > mfu1_pam ontlitcp onbarfix
> > > s=4,pam_serv=(pam_chal),pamauth=(challenge)
> > > >
> > > > This line in the sqlhosts file will setup the server
> name mfu1_pam
> > > > to use the PAM with the service name pam_chal. The
> authentication
> > > > mode for this server name will be challenge, so clients
> connecting
> > > > to this servername must be prepared to handle a PAM challenge.
> > > >
> > > > Example 2:
> > > >
> > > > mfu1_pam ontlitcp onbarfix
> s=4,pam_serv=(other),pamauth=(password)
> > > >
> > > > This line in the sqlhosts file will setup the server
> name mfu1_pam
> > > > to use the PAM with the service name other which usually is
> > > > implemented by the system provided PAM module pam_unix.so. The
> > > > authentication mode for this server name will be password, so
> > > > clients connecting to this servername must be prepared
> to provide
> > > > the password with the connection request. Implicit connections
> > > > will be rejected.
> > > > --------------------------------------------------------------
> > > >
> > > > Regards,
> > > > Martin
> > > > --
> > > > Martin Fuerderer
> > > > IBM Informix Development Munich, Germany
> > > >
> > > >
> > > >
> > >
> > > **************************************************************
> > > ************
> > > *****
> > > > Forum Note: Use "Reply" to post a response in the
> discussion forum.
> > > >
> > >
> > >
> > > **************************************************************
> > > ************
> > > *****
> > > Forum Note: Use "Reply" to post a response in the
> discussion forum.
> > >
> > >
> >
> >
> >
>
> **************************************************************
> *****************
> > Forum Note: Use "Reply" to post a response in the discussion forum.
> >
>
>
> **************************************************************
> *****************
> Forum Note: Use "Reply" to post a response in the discussion forum.
>
>

Messages In This Thread

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum is maintained by Administrator with WebBBS 5.12.