Gordon,
I was thinking about your problem further over the weekend. You can use our routines to authenticate from BASIC but I think that being unable to directly authenticate with UniObjects is going to make you jump through some hoops.
You will need to have at least one local unix user on the UniVerse box so that UniObjects can login at all. This will give all your uniobjects users the same effective Unix Username and permissions (not sure how important that is at your site).
Once logged in you can then call our LDAP routines to authenticate a user/password for access to the system. Our routines support simple and SASL MD5-HASH authentication, optionally over SSL (if you can make the U2 SSL sockets work at your site).
I think this is a better solution than using LDAP on the webserver, because it is UV that decides if a user should have access but it is still an inferior solution to direct UOJ authentication because you have to write and maintain code to decide if a user is authenticated separate to UOJ.
Problems with this setup are:
- Will solaris allow the single UOJ user to be authenticated locally? (I would think this must be possible).
- Can solaris configure the UOJ user so that it can only be used for UOJ (telnet, ssh, ftp etc disabled, setting a null shell would go part way but it would be nice to limit their login further).
- You will need to store the UOJ username and password on the machine where the UOJ client runs (or distribute the username and password to all your users and have them authenticate twice). Both of these feel bad you decide which is less so.
- If you use unix level security to segregate access to data you will need to play with the AUTHORIZE statement to change the effective user id of process. I just don't know if this will work from UOJ.
Craig ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
