Application development for authentication modules

The authentication method depends on the PAM or LDAP Authentication Support module installed.

The authentication method can involve challenge and response. When the PAM or LDAP Authentication Support module raises a challenge, these processes occur:

  1. The database server forwards the challenge to the client.
  2. The application must respond to the challenge by using a callback function that is provided by an API in the (Client SDK), such as the Java Database Connectivity (JDBC) Driver.
  3. If the server to which the client is connecting is set up for challenge, the application must register a callback function with a Client SDK component.
  4. When the Client SDK API receives a challenge from the server, the challenge is forwarded to the application by the callback function.
  5. The application must respond to the challenge.
  6. The Client SDK component forwards the response to the database server.

The application must be prepared to respond to multiple challenges and cannot assume the number of challenges or the challenges themselves.

The following example shows syntax of the callback function:
mint ifx_pam_callback(mint (*callbackfunc_ptr)(char *challenge,
 char *response, mint msg_style))
char *challenge
the character buffer in which the challenge is given by the server. The size of the buffer is fixed at 512 bytes, defined by PAM_MAX_MSG_SIZE in the pam_appl.h file.
char *response
the character buffer in which the response is provided by the user. The size of the buffer is fixed at 512 bytes, defined by PAM_MAX_RESP_SIZE in the pam_appl.h file.
int msg_style
contains a number that indicates the type of the message given by the server. Based on the type of the response, the application can take appropriate action in the callback function.

The client application must register the callback function before making the first connection. If the callback function is not registered when the first connection is made to the database server, and the server responds, then ESQL/C returns error -1809.

The following example shows a very simple program that first registers a callback function and then unregisters it.

#include <stdio.h>
#include <security/pam_appl.h>

static int user_callback(char *challenge, char *response,
 int msg_style);

int main(void)
{
    EXEC SQL char passwd[]="password";
    int retval = 0;

    /* first register the callback */
    retval = ifx_pam_callback(user_callback);

    if (retval == -1)
    {
        printf("Error in registering callback\n");
        return (-1);
    }
    else
    {
        EXEC SQL database test; /* successful connection */
        /* Note that this is an implicit connection. So, the
         * application should be ready to respond to challenges.*/
        printf ("sqlcode on pam connect = %d\n", SQLCODE);
    }

    retval = ifx_pam_callback(NULL); /* unregister the callback
                                      * function */

    if (retval == -1)
    {
        printf("Error in registering callback\n");
        return (-1);
    }
    else
    {
    /* This connection throw error -1809, since the callback 
    * function was unregistered statement */
         EXEC SQL database test;
        printf ("sqlcode on connect = %d\n", SQLCODE);
    }
    return 0;
}


static int user_callback(char *challenge, char *response,
 int msg_style)
{
    switch (msg_style)
    {
        /* If the msg_style is PAM_PROMPT_ECHO_OFF, the                   
         * application should not echo the user's response. */
        case PAM_PROMPT_ECHO_OFF:
        case PAM_PROMPT_ECHO_ON :
                printf("%s: %d:", challenge, msg_style);
                scanf("%.*s", PAM_MAX_RESP_SIZE, response);
                break;

        case PAM_ERROR_MSG:
        case PAM_TEXT_INFO:
        default:
                printf("%s: %d\n", challenge, msg_style);
               break;
    }
    return 0;
}