Home | Previous Page | Next Page   The Database Server > Security > Authentication Modules >

LDAP Authentication Support on Windows

LDAP Authentication on Windows is set up and configured like the Pluggable Authentication Module (PAM) that is used on UNIX and Linux. Use the LDAP Authentication Support module when you want to use an LDAP server to authenticate your system users. The module contains source code that you can modify for your specific LDAP Authentication Support module.

The authentication module is a DLL that usually resides in the %INFORMIXDIR%\dbssodir\lib\security directory. The parameters of the module are listed in the %INFORMIXDIR%\dbssodir\pam.conf file. The source code for a fully functional LDAP Authentication Module and samples of the required configuration files are included in the %INFORMIXDIR%\demo\authentication directory.

The LDAP Authentication Module provides single-module authentication only. The module does not support features such as module stacking. The system administrator can enable or disable the authentication.

Installing and Customizing the LDAP Authentication Support Module

Before you can use the Dynamic Server LDAP Authentication Module to create your authentication module, you must have an LDAP server and the LDAP client-side system. Examples of LDAP systems are IBM Directory Server and openLDAP.

Your LDAP client-side system typically includes LDAP libraries and header files. These libraries and header files are required to compile the LDAP module.

To customize the module
  1. Customize the pam_ldap.c file that is included with Dynamic Server.
  2. Compile the pam_ldap.c file into a DLL and place it in a secure directory.

    Recommendation: Place the pam_ldap.c file in the %INFORMIXDIR%\dbssodir\lib directory.

Your installation also includes a template of a configuration file, pam_ldap_tmpl, for the LDAP module. This configuration file contains site specific information. You should store site-specific information in this configuration file, because the file enables a single LDAP module to work in different settings.

Configuring the LDAP Module

Use the template of a PAM configuration file to configure your LDAP module.

To configure your LDAP module
  1. Copy the template file to %INFORMIXDIR%\dbssodir\etc and name it pam.conf.
  2. Customize the file to accommodate your local security settings. See the template file, pam.conf_tmpl, for details about how to customize the file.

Configuring Dynamic Server

To configure a server to use an LDAP Authentication Support module, edit the sqlhosts file. The system administrator must know:

The following example shows an sqlhosts entry with descriptive names: 

PAM service: pam_chal

Authentication mode: challenge
ifxserver1   oltlitcp   servermc   portnum1
 s=4, pam_serv=(pam_chal), pamauth=(challenge)

PAM service: pam_password (Needs only a password)

Authentication mode: password
ifxserver2   oltlitcp   servermc   portnum2
 s=4, pam_serv=(pam_pass), pamauth=(password)

Authentication Mode

The LDAP Authentication Support module determines whether a simple password is sufficient or other challenges are required. Implementation of the module in Dynamic Server takes advantage of the fact that for explicit connections, a password is sent to the server by the client. This password can be used to satisfy the LDAP Authentication Support module in cases where a simple password is used. If the authentication mode involves responding to single or multiple challenges, the applications must be able to respond to the challenges.

Implicit Connections

The LDAP Authentication Support module is a challenge oriented system, in that the authentication response (the password) is supplied in response to an LDAP Authentication Support module message. In implicit connections to the database server, there is no password.

Implicit connections can work under the LDAP Authentication Support module only in challenge mode. Implicit connections in password mode result in failure.

Enterprise Replication and High-Availability Data Replication

Enterprise Replication and High-Availability Data Replication (HDR) cannot respond to challenges, if the authentication scheme calls for it. For this reason, Enterprise Replication and HDR must not be configured on the port that uses the LDAP Authentication Support module. For information on the facility to dedicate ports to Enterprise Replication and HDR, see Enterprise Replication and High-Availability Data Replication Connection Security Option.

Application Development

The process for preparing an application to respond to challenges raised by LDAP Authentication Support modules is the same process to use when responding to challenges raised by PAM modules. For more information, see Application Development for Authentication Modules.

Distributed Transactions with LDAP Support Modules, Client APIs, and Compatibility Issues

Distributed transactions, APIs that support LDAP Authentication Support modules, and compatibility issues with other IBM Informix products and tools are the same for both PAM and LDAP Authentication Support modules. For more information, see Distributed Transactions, Client APIs and Authentication Support Modules, and Compatibility Issues.

Home | [ Top of Page | Previous Page | Next Page | Contents | Index ]