Talk:Ingres PAM Integration Home

From Ingres Community Wiki

Jump to: navigation, search

Thanks Teresa for creating PAM discussion page. Thanks Bruce for the feedback.

Rajus01 07:58, 28 March 2008 (PDT)


It's a greate idea to fully integrate ingres and pam modules. We have over 50 customers running ingres on linux and many of them want to integrate ingres into ldap/domain/... We are changing ingvalidpw with our scripts/programs and it's unsystematic and dangerous.

--Vdohnal@*** 00:30, 18 April 2008 (PDT)

Hi Vdohnal,

Thanks for the note. I am curious to know how your customers envision using PAM with Ingres on Linux. What Linux flavors your customers use? You mentioned about LDAP.. Do they use pam_ldap service module ( /lib/security/pam_ladp.so) with Ingres? I would appreciate if you can provide a write up about your customers current PAM configuration setup.

--Rajus01 10:14, 29 May 2008 (PDT)


Hi, we usualy integrate only samba server into the domain. For tighter integration we use pam_radius_auth.so or pam_ldap.so. Here is typical configuration: 

 auth     sufficient     pam_radius_auth.so  debug conf=/etc/raddb/server #client_id=  
 auth     requisite      pam_unix2.so            nullok #set_secrpc
 auth     required       pam_nologin.so
 auth     required       pam_securetty.so
 auth     sufficient     pam_rootok.so
 auth     required       pam_listfile.so item=group sense=allow file=/etc/prytanisgroups onerr=fail
 #auth    required       pam_homecheck.so
 auth     required       pam_env.so
 auth     required       pam_mail.so
 account  required       pam_unix2.so
 password required       pam_pwcheck.so          nullok
 password required       pam_unix2.so            nullok use_first_pass use_authtok
 session  required       pam_unix2.so            none # debug or trace
 session  required       pam_limits.so

pam_listfile.so we use to allow access only to user from some groups in /etc/prytanisgroups.

--Vdohnal@*** 00:11, 24 June 2008 (PDT)

Hi Vdohnal,

Thanks for the response and your update to the PAM wiki discussion page. Glad to hear back from you. As I am in the middle of wrapping up the PAM integration for Ingres I have some additional questions with regards to service name configuration.

1. What service name do you use for your configuration? 2. What are your thoughts about forcing the configuration of "ingres" service name?

I would like to force the configuration name to "ingres" for the following reasons.

a. PAM uses "other" service name if the "ingres" configuration name doesn't exist. But, by default, the "other" service name configuration is defined as follows which means that the Ingres doesn't work (with PAM) right out of the box.

[edit]
=====
  #%PAM-1.0
  auth     required       pam_warn.so
  auth     required       pam_deny.so
  account  required       pam_warn.so
  account  required       pam_deny.so
  password required       pam_warn.so
  password required       pam_deny.so
  session  required       pam_warn.so
  session  required       pam_deny.so
[edit]
==============

b. There is also a suggestion to use the default "login" service name for Ingres. But if this "login" service name by default heavily customized then Ingres doesn't work with PAM right out of the box either.

c. Additionally, as the source code of Ingres-PAM validation program is provided to the user, the user can change the service name, recompile it if necessary to meet their security requirements.

Thus I think that forcing PAM service configuration name to "ingres" and configuration of this service name to use standard pam_unix service modules ( an example configuration is shown below) will enable Ingres to work with PAM right out of the box than using the default service names such as "other", and "login". 

  #%PAM-1.0
  auth     include        common-auth     debug
  account  include        common-account  debug

Look forward to your further comments on this.

Regards, Usha

--Rajus01 06:10, 24 June 2008 (PDT)


E-mail response from Vdohnal:

Hi Usha, the configuration I sended you is /etc/pam.d/login. We have ABF applications and ingres database on the same linux box and users have to login by ssh or telnet. We also have new .NET applications and instead of ingvalidpw program we use perl script. And this script authenticates .net users against PDC on windows box.

I agree with the name "ingres". Login is for ssh, telnet and ingres is also for ingres net.

--Rajus01 05:42, 25 June 2008 (PDT)

We should also provide a "mkvalidpam" and the sources of ingvalidpam as we do it with the current ingvalidpw. (in $II_SYSTEM/ingres/files/iipwd). This would especially allow to specify the service name. I don't think we should make "ingres" to the default, as this requires the system admin to add the ingres service to the pam configuration. If the service name is not found in the configuration, PAM falls back to the "other" service, which might not be expected.

Kristoff

--Pickr01 04:13, 11 May 2008 (PDT)

Kristoff,

The plan is to also provide the source for Ingvalidpam.

--Rajus01 10:14, 29 May 2008 (PDT)

At the development summit it was reported how Ingres plans to integrate this contribution. There were some significant changes to the original contribution (and that is what I actually commented in my last update here). However, I can't find this new version - I would like to have a look at it.

Thanks, Kristoff

--Pickr01 23:52, 19 May 2008 (PDT)

It is still a work-in-progress. I will provide you with the new version/documentation once it is completed.

--Rajus01 10:14, 29 May 2008 (PDT)

Retrieved from "http://community.ingres.com/wiki/Talk:Ingres_PAM_Integration_Home"
Personal tools
Developing With