db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Segel <de...@segel.com>
Subject Re: Any interest in a Derby backed PAM Authentication module?
Date Fri, 17 Feb 2006 20:21:18 GMT
On Friday 17 February 2006 10:38 am, Dyre.Tjeldvoll@sun.com wrote:
> derby@segel.com writes:
> > For those of you who are familiar with PAM, it would be an interesting
> > use for Derby.
>
> Just out of curiosity, what is PAM?
>
Ah. Sorry. 
PAM = Pluggable Authentication Module(s)

Its a gift from Sun. 
PAM can be used on Solaris, AIX, and most (if not all) Linux flavors.  Don't 
know about HP-UX, but I think its there as well....

PAM allows you to abstract the authentication method, and configure 
authentication methods without having to rewrite any code. (You just have to 
make your app PAM aware (read coding or configuration) and then point it to 
the correct PAM config file which tells which PAM modules to use.

You can even "stack" authentication modules.

To give you a real life example...

Since there's a *ton* of IBMers (Heritage Informix folks too.) on this 
list....

Both Informix and DB2 use the Unix authentication method by default.

This is really a legacy issue that at the time, made some sense while Sybase 
and Oracle managed their own user authentication. (Ok so I *am* showing my 
age here... ;-)

Recently,  DB2 and Informix have been modified to take advantage of PAM when 
running on OSs that support PAM.

What this does is allow for the database to take advantage of different 
authentication strategies. Like... RSA key fobs, LDAP, RADIUS,  Physical Card 
or Hardware required access, and even biometrics... Or a combination of these 
methods. So you can really lock down your access points and users. 

There are a couple of different modules out there and its not too difficult to 
write your own. (Ok, on a scale of 1 to 10, its about a 5 to write, but an 8 
to implement.) The idea of using a database, especially an embedded database 
makes a lot of sense. 

To give you a real life example...

I'm working on a sales force automation app and DW that has about 200+ users 
with an anticipated growth of 200 more users this year... along with staff 
turnovers, it means for a lot of maintenance.

Since the client doesn't have any internal "IT" staff, I don't want to get 
stuck maintaining 200+ unix accounts. Hence PAM.

Since IDS 10.0 is already PAM enabled, it makes a lot of sense to use a PAM 
module that would allow me to maintain a seperate passwd file/db for 
authentication.  Since I'm using Informix for the DW, why not use it for the 
authentication module itself?  I'm rewriting someone's existing PAM module.  
This way, all I need to do is to write a Java maintenance app that would 
allow the admin to manage the user database and to reset passwords or to lock 
someone out of the database.

Now, we can do the same sort of thing using Derby as the database holding the 
data. Since it can be embedded, we can add some more intelligence to the PAM 
module, to allow for maintenance. Actually in a more generic application 
sense... having an embedded DB in the authentication module does make sense.
(And of course there are some design permutations which are also really cool 
too.)

Its kind of cool ...

Does that explain it?


> > The trick is that you'd have to write the module in C to connect to
> > derby..
>
> Connect as in connecting to the NetworkServer through DRDA, or
> accessing Derby from C inside the same process?

Well, I haven't really thought about all of the particulars.
If its embedded, then it would be the C program using JNI?
Or if you used the networked version, then yeah, you'd use something like a 
DRDA gateway from the CSDK.

Again, I really hadn't thought the use of Derby out yet. Was sort of thinking 
about it as I worked on the Informix version....

Just wondering if anyone else saw the same potential...

-- 
--
Michael Segel
Principal 
Michael Segel Consulting Corp.
derby@segel.com
(312) 952-8175 [mobile]

Mime
View raw message