Hi Chris regarding external authentification mechanism I can say, for the next major version 7.7 it is planned to support external authentication mechanisms like GSS/Kerberos and other security provider. This next major version is planned for 2006.
Regards Markus Özgen MaxDB Team - SAP AG -----Ursprüngliche Nachricht----- Von: JUNG, Christian [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 17. August 2005 13:20 An: 'maxdb@lists.mysql.com' Betreff: MaxDB and security Hi all! I've read some interesting stuff about MaxDB 7.6.0.x and security: ---8<--- Kernel Runtime Challenge/response authentication Now the user connection to the database is based on a challenge/response authentication. Therefore, intercepted connection information can not be used illegally. However, this is not implemented yet for all clients. ---8<--- Then I searched about this feature and found some details. It seems that MaxDB provides a self-designed challenge-response-mechanism for authentication. The DBM-Server can tell the client, which mechanisms it supports. Are there any chances to support external mechanisms like GSS/Kerberos? Or is SASL-support integrated? Is there already some documentation for this feature and/or the SSL-stuff [ -> searched for it - but didn't found anything ]? Where does MaxDB search for it's private key? Is client-authentication via SSL and a CA-Cert possible? Some time - eeh years - ago I found some neat patches of a SuSE-employee (don't remember his name - sorry) to PAMify SAP DB. These were VERY small patches. I'm highly interested in such a feature. With this it would be possible to use the authentication mechnisms of the underlying OS (this is interesting for large database which is used by Applications with named users). For the Not-UNIX-Guys: PAM stands for Pluggable Authentication Mechanism and - for short - is a library which handles authentication under e.g. Linux. Its purpose is to make an application unaware of the underlying authentication mechanisms. For example 'login' (that's the program started on a terminal where a user has to enter her username and password) can use Kerberos or LDAP to authenticate a user without even the knowledge of how Kerberos or LDAP works (this is done by the according PAM-module). Note: Kerberos is then used for authentication but PAM still needs the username and password and not for example the keytab of the user. PAM-modules just say "yes this user is who she tells" or "no - don't know this one; get away". And now I hopped around five different issues so I better hop off ;-) Bye+Thanks a lot Chris phone: +49 6898/10-4987 fax: +49 6898/10-54987 http://www.saarstahl.de -- MaxDB Discussion Mailing List For list archives: http://lists.mysql.com/maxdb To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MaxDB Discussion Mailing List For list archives: http://lists.mysql.com/maxdb To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
