Configuring PAM User Authentication
Tags:
SAP IQ 16 sp08 and above now supports PAM User Authentication(PAMUA). Pluggable Authentication Module(PAM) is an centralized authentication system available on most Unix and Linux platforms and it provides a generic common interface to multiple low-level authentication schemes. To configure PAM on your system, you will need see your operating system documentation. The libpam.so[a] dynamic library must be installed on your system. SAP IQ sp08 documentation does provide sample pam authentication program(pamclient) for setting up and and testing PAM authentication on your system without SAP IQ Server.
Sample PAM Authorization Program - Administration: User Management and Security - SAP Library
pamclient program can be compiled and then tested on your system.
Two executables pamtest.so(PAM Server Authentication Module) and pamclient(sample test program, which can be used to test pamtest.so, to confirm that is installed correctly).
Linux;
pamtest.so must be copied to /lib64/security/pamtest.so
and as root create pamtest file in /etc/pam.d
[pam.d]$ cat pamtest
auth required pamtest.so
account required pamtest.so
Test:
[root@myhost pam.d]# echo + bob bobspwd > /tmp/pamtest.ctl
[root@myhost pam.d]# pamclient bob bobspwd pamtest
#0 Authenticated user "bob" using service pamtest.
[root@myhost pam.d]# cat /tmp/pamtest.ctl
+ bob bobspwd
[root@myhost pam.d]# rm /tmp/pamtest.ctl
For passwd service, make sure passwd service has correct entries:
[@hostname pam.d]$ cat passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password substack system-auth
#-password optional pam_gnome_keyring.so
Configure PAM authentication in SAP IQ Server:
[@myhost pam.d]$ dbisql -c 'uid=DBA;pwd=sql;eng=demo0801' -nogui
(DBA)> set option public.login_mode=PAMUA
Execution time: 0.03 seconds
(DBA)> create login policy usepam pam_service_name = sshd pam_failover_to_std=on;
Execution time: 0.105 seconds
(DBA)> create user myuser login policy usepam
Execution time: 0.026 seconds
(DBA)> exit
[@myhostpam.d]$ dbisql -c 'uid=myuser;pwd=xxxxxxx;eng=demo0801' -nogui
(myuser)> quit