sybmapname converts external user principal names used in the Kerberos environment to the namespace of Adaptive Server user logins. You can customize the sybmapname shared object and map names specified in the Kerberos input buffer to names suitable for a login to the Adaptive Server output buffer.
Use the sybmapname shared object to perform the custom mapping between the user principal name and the Adaptive Server login name. This shared object is optionally loaded at server start-up, and the function syb__map_name contained in the shared object is called after a successful Kerberos authentication and just before the user principal is mapped to a login in the syslogins table. This function is useful when the user principal name and the login name to be mapped are not identical.
syb__map_name(NAMEMAPTYPE *protocol, char *orig, int origlen, char *mapped, int *mappedlen)
where:
NAMEMAPTYPE *protocol – refers to a structure reserved for usage of this function.
char *orig – is an input buffer that is not null-terminated.
int origlen – is the input buffer length, which should be less than or equal to 255 characters.
char *mapped – is an output buffer that should not be null-terminated.
int *mappedlen – is an output buffer length, which should be less than or equal to 30.
syb__map_name returns a value greater than 0 if the mapping succeeds, or returns a value of 0 if no mapping occurred, and it returns a value less than 0 when an error occurs in syb__map_name. When an error occurs, reporting the mapping failure is written to the Adaptive Server error log.
For example, to authenticate a Kerberos user on Adaptive Server:
Configure Adaptive Server to use the Kerberos security mechanism. See “Using Kerberos” and Open Client/Server documentation, and the white paper titled “Configuring Kerberos for Sybase” on the Sybase Web site.
A sample sybmapname.c file is located in $SYBASE/$SYBASE_ASE/sample/server/sybmapname.c.
Modify sybmapname.c to implement your logic. See “Precautions when using sybmapname”.
Build the shared object or DLL using the generic platform-specific makefile supplied. You may need to modify the makefile to suit your platform-specific settings.
Place the resulting shared object generated in a location specified in your $LD_LIBRARY_PATH on UNIX machines, and PATH variable on Windows machines. The file should have read and execute permissions for the “sybase” user.
Sybase recommends that only the “sybase” user
is allowed read and execute permissions, and that all other access
should be denied.
To verify your login to Adaptive Server using Kerberos authentication, assume that:
$SYBASE refers to your release and installation directory.
$SYBASE_ASE refers to the Adaptive Server version directory that contains your server binary.
$SYBASE_OCS refers to the Open Client/Server version directory.
Example 1 If a client’s principal name is user@REALM,
and the corresponding entry in syslogins table
is user_REALM,
you can code sybmapname to accept the input string user@realm and
to convert the input string to the output string user_REALM.
Example 2 If the client principal name is user,
and the corresponding entry in syslogins table
is USER, then sybmapname can
be coded to accept the input string user and
convert this string to uppercase string USER.
sybmapname is loaded by Adaptive Server at runtime and uses its logic to do the necessary mapping.
The following actions and output illustrate the sybmapname function described in Example 2. The sybmapname.c file containing the customized definition for syb__map_name() should be compiled and built as a shared object (or DLL), and finally placed in the appropriate path location. Start Adaptive Server with the Kerberos security mechanism enabled.
To initialize the Ticket Granted Ticket (TGT), which is a encrypted file that provides identification:
$ /krb5/bin/kinit johnd@public Password for johnd@public: $
To list the TGT:
$ /krb5/bin/klist Cache Type: Kerberos V5 credentials cache Cache Name: /krb5/tmp/cc/krb5cc_9781 Default principal: johnd@public
Log in as “sa” and verify the user login for “johnd”:
$ $SYBASE/$SYBASE_OCS/bin/isql -Usa -P -Ipwd`/interfaces 1> 1> sp_displaylogin johnd 2> go No login with the specified name exists. (return status = 1) 1> sp_displaylogin JOHND 2> go Suid: 4 Loginame: JOHND Fullname: Default Database: master Default Language: Auto Login Script: Configured Authorization: Locked: NO Password expiration interval: 0 Password expired: NO Minimum password length: 6 Maximum failed logins: 0 Current failed login attempts: Authenticate with: ANY (return status = 0)
Successful Kerberos authentication, maps lower-case johnd to
uppercase JOHND using the sybmapname utility,
and allows user johnd to
log in to Adaptive Server:
$ $SYBASE/$SYBASE_OCS/bin/isql -V -I'pwd'/interfaces 1>
When coding for sybmapname:
Use caution when making modifications to the sample sybmapname.c program. Avoid using code that may create a segmentation fault, that may call exit, that may call system calls, that may change UNIX signals, or that makes any blocking calls. Improper coding or calls may interfere with the Adaptive Server engine.
Sybase bears no responsibility for coding errors in sybmapname.
Code defensively, check all pointers before no longer referencing them, and avoid system calls. The functions you write must be quick name-filtering functions.
Do not use goto statements since, depending on the platform, they may cause unexpected side effects.
If you use multiple realms, use caution when mapping
the user principal names to a suitable login name to reflect the
realm information. For example, if you have two users whose user
principal names are userA@REALMONE and userB@REALMTWO,
respectively, map them to the login names userA_REALMONE and userB_REALMTWO,
instead of userA or userB.
This distinguishes the two users who belong to different realms.
