Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Informix IDS Migration - Solaris to Linux

  • 26-01-2016 7:07pm
    #1
    Standard Toaster
    Registered Users, Registered Users 2 Posts: 10,271 ✭✭✭✭


    Anyone familiar with Informix database? More specifically having it running on Red Hat 6 with Windows authentication.

    Have it up and running fine and it works fine for local users (anyone in /etc/passwd) but not for domain users from ldap. Using sssd for that.

    Separate DB server and App server, both RHEL 6.

    I can throw up more info later but just wanted to see if anyone else here might have been in a similar situation before.

    Thanks!


Comments

  • #2
    L.Jenkins
    Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,241 Mod ✭✭✭✭L.Jenkins


    Integration with Active Directory over LDAP with RHEL might be worth looking into. http://people.redhat.com/mskinner/rhug/q3.2013/ready_rhel_ad/refarch_rhel6_to_ad.pdf


  • #3
    Standard Toaster
    Registered Users, Registered Users 2 Posts: 10,271 ✭✭✭✭Standard Toaster


    Thanks Itzy.

    I've the servers added to the domain and auth working fine with SSSD (based on section 6.3 on that pdf)
    SSH as domain user working fine.

    As far as I can gather when the Informix client tries to auth against the IDS server it expects the logged in user on the app server to exist on the DB server in /etc/passwd. (users will not exist in passwd in an SSSD setup)

    Reading this link:
    http://informix-technology.blogspot.ie/2009/04/informix-authentication-and-connections.html?m=1

    ...I *think* the Informix service account running IDS needs to be a domain account too (local account now)
    Local accounts are working fine from app->db btw.

    I'd really like to keep/manage the users in AD.
    I can't have both!


  • #4
    L.Jenkins
    Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,241 Mod ✭✭✭✭L.Jenkins


    Well let me know how it goes.


  • #5
    Standard Toaster
    Registered Users, Registered Users 2 Posts: 10,271 ✭✭✭✭Standard Toaster


    Just a quick follow up for anyone else who might stumble across this.
    I managed to get this all working fine, dbaccess authenticating fine against the database server.

    Show stopper through was this gem:
    http://www-01.ibm.com/support/knowledgecenter/SSGU8G_11.50.0/com.ibm.sec.doc/ids_am_024.htm
    Compatibility issues with authentication modules

    Only specific IBM® Informix® products support authentication modules. To use the other products when an authentication module is enabled on IBM Informix, you can connect to a DBSERVERALIASES.

    Not all IBM Informix products and tools support PAM or LDAP authentication:

    IBM Informix-4GL does not have a mechanism for identifying callback functions and therefore cannot directly support PAM or LDAP authentication. However, if IBM Informix-4GL uses the correct version of CSDK, you can write C code that can be called from IBM Informix-4GL to handle the challenge and response protocol. To implement PAM, upgrade to the new CSDK version, modify your applications to register a callback that can handle challenges and responses, and recompile your application.

    Which means all of our 4gl code would need to be rewritten to support SSO.

    So I'm just going to blacklist informix ad group via sssd.conf and create local logins for them manually.
    Not ideal but it's the only way I can see, and it works.


Advertisement