Application Development for Authentication Modules

Home | Previous Page | Next Page The Database Server > Security > Authentication Modules >

Application Development for Authentication Modules

The authentication method depends on the PAM or LDAP Authentication Support module installed. The method can involve challenge and response. When the PAM or LDAP Authentication Support module raises a challenge, these processes occur:

The database server forwards the challenge to the client.
The application must respond to the challenge using a callback function that is provided by the IBM Informix CSDK and the IBM Informix JDBC driver.
If the server to which the client is connecting is set up for challenge, the application must register a callback function with CSDK or JDBC.
When CSDK or JDBC receive a challenge from the server, the challenge is forwarded to the application by the callback function.
The application must respond to the challenge.
CSDK or JDBC forwards the response to the database server.

The application must be prepared to respond to multiple challenges and cannot assume the number of challenges or the challenges themselves.

The callback function should look like the following function:

mint ifx_pam_callback(mint (*callbackfunc_ptr)(char *challenge,
 char *response, mint msg_style))

char *challenge: the character buffer in which the challenge is given by the server. The size of this is fixed at 512, defined by PAM_MAX_MSG_SIZE in the pam_appl.h file.
char *response: the character buffer in which the response is provided by the user. The size of this is fixed at 512, defined by PAM_MAX_RESP_SIZE in the pam_appl.h file.
int msg_style: contains a number that indicates the type of the message given by the server. Based on the type of the response, the application can take appropriate action in the callback function.

The client application must register the callback function before making the first connection. If the callback function is not registered when the first connection is made to the database server, and the server responds, then ESQL/C returns error -1809.

The example below shows a very simple program that first registers a callback function and then unregister it.

#include <stdio.h>
#include <security/pam_appl.h>

static int user_callback(char *challenge, char *response,
 int msg_style);

int main(void)
{
    EXEC SQL char passwd[]="password";
    int retval = 0;

    /* first register the callback */
    retval = ifx_pam_callback(user_callback);

    if (retval == -1)
    {
        printf("Error in registering callback\n");
        return (-1);
    }
    else
    {
        EXEC SQL database test; /* successful connection */
        /* Note that this is an implicit connection. So, the
         * application should be ready to respond to challenges.*/
        printf ("sqlcode on pam connect = %d\n", SQLCODE);
    }

    retval = ifx_pam_callback(NULL); /* unregister the callback
                                      * function */

    if (retval == -1)
    {
        printf("Error in registering callback\n");
        return (-1);
    }
    else
    {
    /* This connection throw error -1809, since the callback 
    * function was unregistered statement */
         EXEC SQL database test;
        printf ("sqlcode on connect = %d\n", SQLCODE);
    }
    return 0;
}


static int user_callback(char *challenge, char *response,
 int msg_style)
{
    switch (msg_style)
    {
        /* If the msg_style is PAM_PROMPT_ECHO_OFF, the                   
         * application should not echo the user's response. */
        case PAM_PROMPT_ECHO_OFF:
        case PAM_PROMPT_ECHO_ON :
                printf("%s: %d:", challenge, msg_style);
                scanf("%.*s", PAM_MAX_RESP_SIZE, response);
                break;

        case PAM_ERROR_MSG:
        case PAM_TEXT_INFO:
        default:
                printf("%s: %d\n", challenge, msg_style);
               break;
    }
    return 0;
}