Configuring external authentication on Linux and UNIX systems

The following procedure describes a typical way of configuring your Linux or UNIX system to use external authentication with the solidDB server. The procedure assumes that you have already created the necessary pluggable authentication modules (PAM) on your system.

Note Misconfigured PAM settings can cause an abnormal shutdown of the solidDB server. To address any problems with authentication, verify the external authentication settings in a test environment before deploying in production.

To configure external authentication on Linux or UNIX systems, complete the following steps:

1 Install and configure the OpenSSL libcrypto library on the server computer, see Installing and configuring the OpenSSL toolkit.

3 Define the solidDB service name with the General.PamServiceName parameter.

The General.PamServiceName parameter defines the solidDB program name that is used in the PAM configuration to define how solidDB users are authenticated.

4 Use the following steps to complete the PAM configuration based on your operating system:

▪ For Linux: Create a file in the /etc/pam.d/ directory with the same name as the value you configured for the General.PamServiceName parameter. For example, if the General.PamServiceName parameter value is solid (default value), create a file named solid in the /etc/pam.d directory. Add the following lines to the file:

▪ For AIX: Edit the PAM configuration file at /etc/pam.conf. Add the following lines to the file:

service_name    auth        required    module_path
service_name    account     required    module_path
service_name    password    required    module_path
service_name    session     required    module_path

▪ service_name defines the name of the solidDB service, as defined by the General.PamServiceName parameter,

▪ module_path defines the name and path of the authentication module.

For example, if the General.PamServiceName parameter value is solid (default) and the authentication module you have installed and created on your system is /usr/lib/security/pam_ldap, add the following lines to the PAM configuration file:

solid    auth        required    pam_ldap
solid    account     required    pam_ldap
solid    password    required    pam_ldap
solid    session     required    pam_ldap

Instead of using custom-made PAM modules, you can use the pam_aix authentication module that is typically included in AIX installations.

solid    auth        required    pam_aix  use_new_state
solid    account     required    pam_aix
solid    password    required    pam_aix
solid    session     required    pam_aix

However, if you use the pam_aix module, the following limitations apply:

▪ You must run solidDB as an administrator (root user). To connect to solidDB from a client running on an AIX system, the user does not need to have administrator rights.

▪ The service name that is used in the /etc/pam.conf file must match the value of the General.PamServiceName parameter. If the entries do not match, the system uses the default PAM settings, which can cause an abnormal shutdown of the solidDB server.

▪ For Solaris: Edit the PAM configuration file at /etc/pam.conf. Add the following lines to the file:

service_name account required   pam_ldap.so.1
service_name auth    required   pam_dhkeys.so.1
service_name auth    required   pam_unix_cred.so.1
service_name auth    sufficient pam_unix_auth.so.1
service_name auth    required   pam_ldap.so.1
service_name account required   pam_ldap.so.1

where service_name defines the name of the solidDB service, as defined by the General.PamServiceName parameter.

For example, if the General.PamServiceName parameter value is solid (default), add the following lines in the /etc/pam.conf file:

solid account required   pam_ldap.so.1
solid auth    requisite pam_authtok_get.so.1
solid auth    required   pam_dhkeys.so.1
solid auth    required   pam_unix_cred.so.1
solid auth    sufficient pam_unix_auth.so.1
solid auth    required   pam_ldap.so.1
solid account required   pam_ldap.so.1