I need help with that. pointing me in the right direction.Any ideas how to
authenticate database users from Active Directory ldap, via pam modules to
be able to run stuff in the IDS databases ? Any decent writeups or tutorials
on it ?

Thanks,
floyd
Floyd Wellershaus
Dba/Sa Informix/Oracle/Linux/Aix

http://photos.fwellers.com
================================================== ======

On Feb 23, 9:16*pm, Floyd Wellershaus <fl... (AT) fwellers (DOT) com> wrote:
Floyd,

I found the following writeup for using Active Directory with PAM. I
cannot confirm this will work with all versions of Informix and
Operating System.

http://informix-technology.blogspot....n-pam-for.html

HTH

Please note that it's a two part article... First part is here:

http://informix-technology.blogspot....n-pam-for.html

The article was written using IDS 11.10, but there is no big difference
between 10 and 11 regarding to PAM. Maybe some fixes, and FC5 is far from
the latest v10 fixpack (FC10 or FC11).

Also note that PAM has some issues depending on your application language...



Additionally make sure you understand one of the bigger issues: on versions
prior to V11.7, although you CAN authenticate through PAM, the underlying OS
MUST recognize the user identity...
In other words, and to illustrate this with real scenario, although your
users are created in the AD and you can use the AD fields to store the
passwords, you MUST make your DB server recognize the user identity. This
means that low level functions (getpwnam() on Unix/Linux) must return the
user data as if they existed in /etc(/passwd.

Having said the above, at first glance you may think that PAM is useless...
So we can take several approaches:

1- Yes, it's useless, so we would be better just making the OS authenticate
against the AD. Current OS versions allow this, and this makes the users of
AD automatically available for Informix authentication
2- No. I need the extended flexibility that PAM provides, so I still want to
use PAM stack, although I need to have the underlying OS authenticate on AD,
or simply have "dummy" user entries in the /etc/passwd
3- Yes and No... So I would be better on v11.7 which eliminates this issue

Finally, I apologize for the bad looks of the first part, but there are
broken image links which make it appear strange....

Feel free to raise specific questions.

Regards.

On Thu, Feb 24, 2011 at 10:50 PM, marym <mmuraskiny (AT) gmail (DOT) com> wrote:



--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...