On Friday 17 February 2006 10:38 am, [EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] writes: > > For those of you who are familiar with PAM, it would be an interesting > > use for Derby. > > Just out of curiosity, what is PAM? > Ah. Sorry. PAM = Pluggable Authentication Module(s)
Its a gift from Sun. PAM can be used on Solaris, AIX, and most (if not all) Linux flavors. Don't know about HP-UX, but I think its there as well.... PAM allows you to abstract the authentication method, and configure authentication methods without having to rewrite any code. (You just have to make your app PAM aware (read coding or configuration) and then point it to the correct PAM config file which tells which PAM modules to use. You can even "stack" authentication modules. To give you a real life example... Since there's a *ton* of IBMers (Heritage Informix folks too.) on this list.... Both Informix and DB2 use the Unix authentication method by default. This is really a legacy issue that at the time, made some sense while Sybase and Oracle managed their own user authentication. (Ok so I *am* showing my age here... ;-) Recently, DB2 and Informix have been modified to take advantage of PAM when running on OSs that support PAM. What this does is allow for the database to take advantage of different authentication strategies. Like... RSA key fobs, LDAP, RADIUS, Physical Card or Hardware required access, and even biometrics... Or a combination of these methods. So you can really lock down your access points and users. There are a couple of different modules out there and its not too difficult to write your own. (Ok, on a scale of 1 to 10, its about a 5 to write, but an 8 to implement.) The idea of using a database, especially an embedded database makes a lot of sense. To give you a real life example... I'm working on a sales force automation app and DW that has about 200+ users with an anticipated growth of 200 more users this year... along with staff turnovers, it means for a lot of maintenance. Since the client doesn't have any internal "IT" staff, I don't want to get stuck maintaining 200+ unix accounts. Hence PAM. Since IDS 10.0 is already PAM enabled, it makes a lot of sense to use a PAM module that would allow me to maintain a seperate passwd file/db for authentication. Since I'm using Informix for the DW, why not use it for the authentication module itself? I'm rewriting someone's existing PAM module. This way, all I need to do is to write a Java maintenance app that would allow the admin to manage the user database and to reset passwords or to lock someone out of the database. Now, we can do the same sort of thing using Derby as the database holding the data. Since it can be embedded, we can add some more intelligence to the PAM module, to allow for maintenance. Actually in a more generic application sense... having an embedded DB in the authentication module does make sense. (And of course there are some design permutations which are also really cool too.) Its kind of cool ... Does that explain it? > > The trick is that you'd have to write the module in C to connect to > > derby.. > > Connect as in connecting to the NetworkServer through DRDA, or > accessing Derby from C inside the same process? Well, I haven't really thought about all of the particulars. If its embedded, then it would be the C program using JNI? Or if you used the networked version, then yeah, you'd use something like a DRDA gateway from the CSDK. Again, I really hadn't thought the use of Derby out yet. Was sort of thinking about it as I worked on the Informix version.... Just wondering if anyone else saw the same potential... -- -- Michael Segel Principal Michael Segel Consulting Corp. [EMAIL PROTECTED] (312) 952-8175 [mobile]
