Skip to Content

Configuring PAM User Authentication


SAP IQ 16 sp08 and above now supports PAM User Authentication(PAMUA). Pluggable Authentication Module(PAM) is an centralized authentication system available on most Unix and Linux platforms and it provides a generic common interface to multiple low-level authentication schemes.  To configure PAM on your system,  you will need see your operating system documentation. The[a] dynamic library must be installed on your system. SAP IQ sp08 documentation does provide sample pam authentication program(pamclient) for setting up and and testing PAM authentication on your system without SAP IQ Server.

Sample PAM Authorization Program - Administration: User Management and Security - SAP Library

pamclient program can be compiled and then tested on your system.

Two executables Server Authentication Module) and pamclient(sample test program, which can be used to test,  to confirm that is installed correctly).

Linux; must be copied to /lib64/security/

and as root create pamtest file in /etc/pam.d

[pam.d]$ cat pamtest

auth    required

account required


[root@myhost pam.d]# echo + bob bobspwd > /tmp/pamtest.ctl

[root@myhost pam.d]#  pamclient bob bobspwd pamtest

#0 Authenticated user "bob" using service pamtest.

[root@myhost pam.d]# cat  /tmp/pamtest.ctl

+ bob bobspwd

[root@myhost pam.d]# rm /tmp/pamtest.ctl

For passwd service, make sure passwd service has correct entries:

[@hostname pam.d]$ cat passwd


auth       include      system-auth

account    include      system-auth

password   substack     system-auth

#-password   optional

Configure PAM authentication in SAP IQ Server:

[@myhost  pam.d]$ dbisql -c 'uid=DBA;pwd=sql;eng=demo0801' -nogui

(DBA)> set option public.login_mode=PAMUA

Execution time: 0.03 seconds

(DBA)> create login policy usepam pam_service_name = sshd pam_failover_to_std=on;
Execution time: 0.105 seconds

(DBA)> create user myuser login policy usepam
Execution time: 0.026 seconds

(DBA)> exit
[@myhostpam.d]$ dbisql -c 'uid=myuser;pwd=xxxxxxx;eng=demo0801' -nogui

(myuser)> quit

No comments