Guys, I might be wrong here, but is this not a U2 problem. Should IBM not fix the software so that all access to UV consistently uses the same security function calls so that the method of authentication is consistent across interfaces, and if you like transparent to U2.
Phil Walker +64 21 336294 [EMAIL PROTECTED] Gnosys Consulting Limited 11 Woodward Road, Mount Albert, Auckland 1003, New Zealand DISCLAIMER: This electronic message together with any attachments is confidential. If you are not the intended recipient, do not copy, disclose or use the contents in any way. Please also advise us by return e-mail that you have received the message and then please destroy. Gnosys Consulting limited is not responsible for any changes made to this message and / or any attachments after sending by Gnosys Consulting limited. We use virus scanning software but exclude all liability for viruses or anything similar in this email or any attachment -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Bennett Sent: Tuesday, March 22, 2005 10:23 AM To: [email protected] Subject: Re: [U2] [AD]UniObjects and LDAP user authentication. Gordon, I was thinking about your problem further over the weekend. You can use our routines to authenticate from BASIC but I think that being unable to directly authenticate with UniObjects is going to make you jump through some hoops. You will need to have at least one local unix user on the UniVerse box so that UniObjects can login at all. This will give all your uniobjects users the same effective Unix Username and permissions (not sure how important that is at your site). Once logged in you can then call our LDAP routines to authenticate a user/password for access to the system. Our routines support simple and SASL MD5-HASH authentication, optionally over SSL (if you can make the U2 SSL sockets work at your site). I think this is a better solution than using LDAP on the webserver, because it is UV that decides if a user should have access but it is still an inferior solution to direct UOJ authentication because you have to write and maintain code to decide if a user is authenticated separate to UOJ. Problems with this setup are: - Will solaris allow the single UOJ user to be authenticated locally? (I would think this must be possible). - Can solaris configure the UOJ user so that it can only be used for UOJ (telnet, ssh, ftp etc disabled, setting a null shell would go part way but it would be nice to limit their login further). - You will need to store the UOJ username and password on the machine where the UOJ client runs (or distribute the username and password to all your users and have them authenticate twice). Both of these feel bad you decide which is less so. - If you use unix level security to segregate access to data you will need to play with the AUTHORIZE statement to change the effective user id of process. I just don't know if this will work from UOJ. Craig ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
