As of Adaptive Server version 12.5.2, PAM authenticated users must already exist as valid logins in Adaptive Server. To create new Adaptive Server logins for PAM-authenticated users automatically, issue:
sp_maplogin, PAM, NULL, "create login"
Alternatively, PAM-authenticated users can be mapped to existing Adaptive Server users. For example:
sp_maplogin NULL, "externuser", "aseuser"
For more information, see “Mapping logins using sp_maplogin”.
Both Linux and Solaris have predefined PAM modules. You can choose to either use one of these modules or to create one of your own. When creating your own modules, follow the guidelines in your operating system documentation on creating a PAM module.
PAM
modules you create should comply with RFC 86.0 “Unified
Login With Pluggable Authentication Modules (PAM).” Adaptive
Server supports the authentication management module of the RFC.
It does not support the account management, session management,
or password management modules.
To enable PAM support, configure your operating system as follows:
For Solaris, add the following line to /etc/pam.conf:
ase auth required /user/lib/security/$ISA/pam_unix.so.1
For Linux, create a new file called /etc/pam.d/ase, and add:
auth requried /lib/security/pam_unix.so
For more information on how to create these entries, see your operating system documentation.
$ISA is an environment variable that stands for Instruction Set Architecture. It allows both 32- and 64-bit libraries together.
On Solaris 32-bit machines, $ISA is replaced by an empty string, while on 64bit machines, it is replaced by the string “sparcv9”.
If you want to have both 32- and 64-bit, put the 32-bit PAM module in a directory, and put 64-bit version in a subdirectory of this directory.
The entry in pam.conf should look similar to:
$ ls /usr/lib/security/pam_whatever.so.1 pam_whatever.so.1 -> /wherever/pam_whatever_32bits.so.1 $ ls /usr/lib/security/sparcv9/pam_whatever.so.1 pam_whatever.so.1 -> /wherever/pam_whatever_64bits.so.1 ase auth required /usr/lib/security/$ISA/pam_whatever.so.1
$ISA is the only variable allowed in pam.conf.
enable pam user auth is a new configuration parameter that enables PAM user authentication support. It can be set as follows:
sp_configure "enable pam user auth", 0 | 1 | 2
where:
0 – disables PAM authentication. This is the default.
1 – indicates Adaptive Server will try PAM authentication first, and then fall back to syslogins authentication if PAM authentication fails.
2 – indicates only PAM authentication may be used.
When
PAM is enabled, password management is delegated to the PAM service
providers.
| Copyright © 2004. Sybase Inc. All rights reserved. |
|
|
