Skip to Content
SAP IQ

Configuring PAM User Authentication

Tags:

SAP IQ 16 sp08 and above now supports PAM User Authentication(PAMUA). Pluggable Authentication Module(PAM) is an centralized authentication system available on most Unix and Linux platforms and it provides a generic common interface to multiple low-level authentication schemes.  To configure PAM on your system,  you will need see your operating system documentation. The libpam.so[a] dynamic library must be installed on your system. SAP IQ sp08 documentation does provide sample pam authentication program(pamclient) for setting up and and testing PAM authentication on your system without SAP IQ Server.


Sample PAM Authorization Program - Administration: User Management and Security - SAP Library

pamclient program can be compiled and then tested on your system.

Two executables pamtest.so(PAM Server Authentication Module) and pamclient(sample test program, which can be used to test pamtest.so,  to confirm that is installed correctly).

Linux;
pamtest.so must be copied to /lib64/security/pamtest.so

and as root create pamtest file in /etc/pam.d

[pam.d]$ cat pamtest

auth    required        pamtest.so

account required        pamtest.so

Test:

[root@myhost pam.d]# echo + bob bobspwd > /tmp/pamtest.ctl

[root@myhost pam.d]#  pamclient bob bobspwd pamtest

#0 Authenticated user "bob" using service pamtest.

[root@myhost pam.d]# cat  /tmp/pamtest.ctl

+ bob bobspwd

[root@myhost pam.d]# rm /tmp/pamtest.ctl

For passwd service, make sure passwd service has correct entries:

[@hostname pam.d]$ cat passwd

#%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   substack     system-auth

#-password   optional    pam_gnome_keyring.so


Configure PAM authentication in SAP IQ Server:

[@myhost  pam.d]$ dbisql -c 'uid=DBA;pwd=sql;eng=demo0801' -nogui

(DBA)> set option public.login_mode=PAMUA

Execution time: 0.03 seconds

(DBA)> create login policy usepam pam_service_name = sshd pam_failover_to_std=on;
Execution time: 0.105 seconds

(DBA)> create user myuser login policy usepam
Execution time: 0.026 seconds

(DBA)> exit
[@myhostpam.d]$ dbisql -c 'uid=myuser;pwd=xxxxxxx;eng=demo0801' -nogui

(myuser)> quit

No comments