IBM Support

Error -952 using transparent LDAP user authentication

Troubleshooting


Problem

Error -952 for database user authentication attempt against an Informix instance although the user can successfully log on at the operating system.

Symptom

A user with credentials stored in an LDAP server can log on at the operating system on which an Informix instance is running, but receives an error -952 when trying to connect to this instance with username and password. There is no PAM port configured at the Informix side, so the LDAP credentials will be received via standard API calls (this is what the "transparent" usage of LDAP means here).

The error shown in the Informix instance message log file will be similar to

Password Validation for user [user1] failed!            
Check for password aging/account lock-out.                  
listener-thread: err = -952: oserr = 0: errstr = [email protected]: User                     ([email protected])'s password is not correct for the database server
.   

Cause

For a connection without PAM configured at the Informix side the username and password verification of Informix relies on receiving the password hash from a standard operating system API call. This password hash will then be compared with the hash of the password that the user provided, and when the comparison is successful the user will be authenticated.

If the user credentials reside in an LDAP server this LDAP server needs to be configured in a way to allow the hashed password to be sent to an LDAP client.

Additionally the LDAP client needs to be configured to request this password.
(An alternative configuration for the client would usually be to let the password comparison be done at the LDAP server. But then the password hash would not be sent to the client, with the same effect as if the LDAP server would not allow it to be sent out}

Furthermore the crypt() library call needs to be configured so that it is compatible with the password hashing at the LDAP server side.

If not all of these conditions are met, the user authentication will result in the error -952.

Diagnosing The Problem

If the user can log on at the operating system Informix is running on, the user credentials are stored in an LDAP server and Informix is not configured to use PAM for this connection request this may apply.

Resolving The Problem

You will need to either change the LDAP server and client configuration (the procedure vary for LDAP servers from particular vendors and it also may have unwanted security implications. Please consult the documentation of your LDAP server or contact the vendor) or you will need to configure PAM feature at Informix side to make use of the LDAP user repository.

[{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Informix Internet Foundation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.1;11.5;11.7;12.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
16 June 2018

UID

swg21682007