Configuring database server authentication with PAM (UNIX™, Linux™)
You can configure the database server to authenticate wire listener users with a pluggable authentication module (PAM).
About this task
Procedure
To configure PAM authentication for MongoDB, REST, or MQTT clients:
-
Set the IFMXMONGOAUTH environment variable.
For example:
setenv IFMXMONGOAUTH 1
-
Create a PAM service file that is named /etc/pam.d/pam_mongo and has the
following contents:
auth required $INFORMIXDIR/lib/pam_mongo.so file=mongohash account required $INFORMIXDIR/lib/pam_mongo.so
Replace $INFORMIXDIR with the value of the $INFORMIXDIR environment variable.
-
On IBM® AIX® 64-bit computers, create a symbolic link that is named 64 that points to the lib
directory by running the following commands:
cd $INFORMIXDIR/lib ln -s . 64
-
Edit the sqlhosts file to add a connection that uses PAM. Include the
s=4 option. Specify the PAM service pam_mongo with the
pam_serv option. Specify the password authentication mode with the
pamauth option.
For example:
ol_informix1210 onsoctcp myhost 40000 s=4,pam_serv=pam_mongo,pamauth=password
- Enable connections from mapped users by setting the USERMAPPING configuration parameter to BASIC or ADMIN in the onconfig file.
-
Set up mapping to an operating system user that has no privileges.
For example, on a typical Linux™ system, the user nobody is appropriate. Add the following line to the /etc/informix/allowed.surrogates file:
users:nobody
- Restart the database server.
-
Create a PAM user for the wire listener. The user must be internally authenticated and map to
the user nobody.
For example, create a user that is named mongo by running the following SQL in the sysmaster database:
CREATE USER 'mongo' WITH PASSWORD 'aPassword' PROPERTIES USER 'nobody'; GRANT CONNECT TO 'mongo';
-
Verify the creation of the user by running the following statement:
SELECT * FROM sysuser:sysmongousers WHERE username='mongo';
The result of the query shows the user and hashed password:
username mongo hashed_password bbb8f9630d5c6e094b9aedd945893faf
-
Set the following parameters in the wire listener configuration file:
- Enable authentication: Set authentication.enable=true.
- Specify PAM authentication: Set db.authentication=informix-mongodb-cr.
- Set the MongoDB version: Set mongo.api.version=2.6 or mongo.api.version=2.4. The PAM authentication method is not compatible with MongoDB version 3.0.
- Optional. Specify the authentication timeout period: Set the listener.authentication.timeout parameter to the number of milliseconds for authentication timeout.
- Specify the mapped user and password for connections and specify to encode and hash the
password: Set the url parameter. Include the NONCE property
set to any 16 character string that contains only the digits 0-9 and the lower-case characters a-f
(extended grep: [0-9a-f]{16}). For example:
url=jdbc:informix-sqli://10.168.8.135:40000/sysmaster:USER=mongo; PASSWORD=aPassword;NONCE=0123456789abcdef
- Restart the wire listener.
-
Create users that the database server authenticates with PAM by running the SQL statement
CREATE USER.
If you have existing MongoDB users, you must re-create those users in the database server.