Identification and authentication refers to features used by Adaptive Server to positively identify a user. Once a user has been identified, access control mechanisms and individual accountability is enforced.
Adaptive Server 12.5.2 supports the following new and enhanced I&A features:
Enhanced Kerberos
LDAP user authentication
PAM user authentication
Enhanced login controls
Kerberos is a network authentication protocol that uses secret key cryptography so that a client can prove its identity to a server across a network connection. User credentials are obtained when the user logs in to the operating system, or by executing an authentication program. These credentials are then used by each application to perform authentication. Users only have to log in once, instead of having to log in to each application.
Adaptive Server 12.5.2 supports Kerberos through:
CyberSafe Kerberos libraries on the following platforms:
Sun Solaris 32-bit
Sun Solaris 64-bit (new to Adaptive Server version 12.5.2)
Windows
AIX 32-bit
MIT Kerberos libraries version 1.3.1 on the following platforms (new to Adaptive Server version 12.5.2):
Sun Solaris 32-bit
Sun Solaris 64-bit
Linux 32-bit
Native libraries on the following platforms (new to Adaptive Server version 12.5.2):
Sun Solaris 32-bit
Sun Solaris 64-bit
Linux 32-bit
To enable
Kerberos security options, you must have ASE_SECDIR, the “Security
and directory services” package.
LDAP externalizes authentication. When you are using LDAP, authentication decisions are based on whether Adaptive Server can successfully bind to a specified LDAP server on behalf of the user. To bind to an LDAP server, Adaptive Server uses a distinguished name (DN) extracted from the specified LDAP URL.
When
LDAP is enabled, password management is delegated to the LDAP service
providers.
As of Adaptive Server version 12.5.2, LDAP-authenticated users must already exist as valid logins in Adaptive Server. To create new Adaptive Server logins for LDAP-authenticated users automatically, issue:
sp_maplogin, LDAP, NULL, "create login"
Alternatively, LDAP-authenticated users can be mapped to existing Adaptive Server users. For example:
sp_maplogin NULL, "externuser", "aseuser"
Adaptive Server version 12.5.2 introduces Pluggable Authentication Modules (PAM) support, which allows multiple authentication service modules to be stacked and made available without modifying the applications that require the authentication.
PAM integrates Adaptive Server more closely with Sun and Linux operating systems and simplifies the management and administration of user accounts and authentication mechanisms. PAM reduces the total cost of ownership through this closer integration. An additional benefit is that users can customize or write their own authentication and authorization modules.
PAM support is currently available on Linux and on Solaris
platforms. For more information on PAM user authentication, see
your operating system documentation.
Adaptive Server version 12.5.2 introduces several new ways to control authentication:
authenticate with – the authentication mechanism is defined when you log in. enable pam user auth and enable ldap user auth enable PAM and LDAP respectively. You can also force a login to use a specific authentication process by using the new options to sp_modifylogin and sp_addlogin. For more information, see the Reference Manual: Procedures.
sp_maplogin – allows you to map external users to Adaptive Server logins.
sp_helpmaplogin – displays mapping information
@@authmech – specifies the current authentication mechanism.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
