sybmapname converts external user principal names used in Kerberos environment to the namespace of Adaptive Server user logins. sybmapname is a customizable shared object that can map names given on its input buffer to a name suitable for Adaptive Server login on its output buffer.
You can use sybmapname shared object to perform the custom mapping between the user principal name and the Adaptive Server login name. This shared object is optionally loaded at server start-up, and the function syb__map_name contained in the shared object is called after a successful Kerberos authentication and just before the user principal is mapped to a login in the syslogins table. This function is useful when the user principal name and the login name to be mapped are not identical.
The customizable logic is the function:
syb__map_name(NAMEMAPTYPE *protocol, char *orig, int origlen, char *mapped, int *mappedlen)
Where:
NAMEMAPTYPE *protocol – refers
to a structure reserved for usage of this function.
char *orig – is
an input buffer that is not null-terminated.
int origlen – is
the input buffer length. It should be less than or equal to 255
characters.
char *mapped – is
an output buffer that should not be null-terminated.
int *mappedlen – is
an output buffer length. It should be less than or equal to 30.
The function returns a value greater than 0 if the mapping succeeds, it returns a value of 0 if no mapping occurred, and it returns a value less than 0 when an error occurs in syb__map_name(). When an error occurs, a message displays in the Adaptive Server error log to report the mapping failure.
For example, to authenticate a Kerberos user on Adaptive Server:
Configure Adaptive Server to use the Kerberos security mechanism. See the Adaptive Server System Administration Guide and Open Client/Server documentation, and the white paper titled “Configuring Kerberos for Sybase” on the Sybase Web site.
A sample sybmapname.c file is located in $SYBASE/$SYBASE_ASE/sample/server/sybmapname.c.
Modify sybmapname.c to implement your logic. Take precautions while coding as it may interfere with the proper running of Adaptive Server. See “Precautions when using sybmapname”.
Build the shared object or DLL using the generic platform specific makefile supplied. The makefile may need to be modified to suit your platform specific settings.
Place the resulting shared object generated in a location specified in your $LD_LIBRARY_PATH on UNIX machines, and PATH variable on Windows machines. The file should have read and execute permissions for the sybase user.
Sybase recommends that only the “sybase” user
is allowed read and execute permissions, and that all other access
should be denied.
To verify your login to Adaptive Server using Kerberos authentication, assume that:
$SYBASE refers to your release and installation directory.
$SYBASE_ASE refers to the Adaptive Server version directory that contains your server binary.
$SYBASE_OCS refers to the Open Client/Server version directory.
Example 1 If a client’s principal name is user@REALM,
and the corresponding entry in syslogins table
is user_REALM,
then sybmapname can be coded to accept the input
string user@realm and
to convert the input string to the output string user_REALM.
Example 2 If the client principal name is user,
and the corresponding entry in syslogins table
is USER, then sybmapname can
be coded to accept the input string user and
convert this string to uppercase string USER.
sybmapname is loaded by Adaptive Server at runtime and uses its logic to do the necessary mapping.
The following actions and output further illustrate the sybmapname function described in Example 2. The sybmapname.c file containing the customized definition for syb__map_name() should be compiled and built as a shared object (or DLL), and finally placed in the appropriate path location. Start Adaptive Server with the Kerberos security mechanism enabled.
To initialize the Ticket Granted Ticket (TGT):
$ /krb5/bin/kinit johnd@public Password for johnd@public: $
To list the TGT:
$ /krb5/bin/klist Cache Type: Kerberos V5 credentials cache Cache Name: /krb5/tmp/cc/krb5cc_9781 Default principal: johnd@public
Log in as “sa” and verify the user login for “johnd”:
$ $SYBASE/$SYBASE_OCS/bin/isql -Usa -P -Ipwd`/interfaces 1> 1> sp_displaylogin johnd 2> go No login with the specified name exists. (return status = 1) 1> sp_displaylogin JOHND 2> go Suid: 4 Loginame: JOHND Fullname: Default Database: master Default Language: Auto Login Script: Configured Authorization: Locked: NO Password expiration interval: 0 Password expired: NO Minimum password length: 6 Maximum failed logins: 0 Current failed login attempts: Authenticate with: ANY (return status = 0)
Successful Kerberos authentication, which maps lower case johnd to uppercase JOHND using
the sybmapname utility and allows user johnd to
log in to Adaptive Server:
$ $SYBASE/$SYBASE_OCS/bin/isql -V -I'pwd'/interfaces 1>
Be aware of the following issues when coding for sybmapname:
Take care with the sample sybmapname.c program and any modifications to it. Avoid using code that may create a segmentation fault, that may call exit(), that may call system calls(), that may change UNIX signals, or that makes any blocking calls. Improper coding or calls may interfere with the Adaptive Server engine.
Sybase bears no responsibility for coding errors in sybmapname.
Code defensively, check all pointers before dereferencing them, and avoid system calls. The functions you write must be quick name-filtering functions.
Do not use goto statements since, depending on the platform, they may cause unexpected side effects.
If you use multiple realms, take care to map the
user principal names to a suitable login name to reflect the realm
information. For example, if you have two users whose user principal
names are userA@REALMONE and userB@REALMTWO,
respectively, map them to the login names userA_REALMONE and userB_REALMTWO,
instead of userA or userB. This
distinguishes the two users who belong to different realms.
