1 Configure the database
First modify the onconfig parameter USERMAPPING to BASIC value.
USERMAPPING configuration parameter (UNIX, Linux). Use the USERMAPPING configuration parameter to set whether or not the database server accepts connections from mapped users. default value OFF values OFF = Only users that are registered in the IBM® Informix® host computer OS with a login service can connect to the database server. Externally authenticated users without OS accounts on the Informix host computer cannot connect to database server resources. BASIC = Users can connect to Informix without an OS account. A user without an OS account cannot perform privileged user operations on the database server, even if the user maps to a server administrator user or group ID. ADMIN = Users can connect to Informix without an OS account. If a user has authenticated with the identity of a privileged user and is mapped to the proper server administrator group ID, the user can perform DBSA, DBSSO, or AAO work on the database server. takes effect After you edit your onconfig file and restart the database server. When you reset the value dynamically in your onconfig file by running the onmode -wf command. When you reset the value in memory by running the onmode -wm command. Usage Externally authenticated users without operating system (OS) accounts on the Informix host computer can access database server resources when USERMAPPING is turned on by setting the parameter with the BASIC or ADMIN value. The setting of BASIC or ADMIN also determines whether or not mapped users can be granted administrative privileges. Important: Changing the USERMAPPING configuration parameter from OFF to ADMIN or BASIC is not the only step in setting up Informix for mapped users. To map users with the appropriate user properties, you must also use DDL statements such as CREATE USER and ALTER USER to register values in appropriate system tables of the SYSUSER database. Depending on the DDL statement used and the defined table mapping, the following tables will be updated or populated: SYSINTAUTHUSERS SYSUSERMAP SYSSURORGATES SYSSURROGATEGROUPS
If exists HDR Replication it is necessary to configure USERMAPPING in the primary and secondary servers.
To get inmediate effect on this change you can execute:
onmode -wf USERMAPPING=BASIC
2 Create the surrogate user
Create a user in the OS, for example ifxsurr with HOME path in /home/ifxsurr. Execute the next commands as user root.
useradd -d /home/ifxsurr -s /bin/false ifxsurr
If exists HDR Replication it is necessary to create this user in the primary and secondary servers.
Edit the file /etc/informix/allowed.surrogates to add the user.
mkdir /etc/informix vi /etc/informix/allowed.surrogates
Add the user in this file.
Assign the owner and permissions to the file.
chown root:root /etc/informix/allowed.surrogates chmod 644 /etc/informix/allowed.surrogates
Reload the cache entry for this file.
onmode -cache surrogates
3 Create the mapped users
You can create the user with the following instruction connected to any database. At the next samples we use the name 'user_sample' as user name. Execute the next command as user informix.
echo "CREATE USER 'user_sample' WITH PASSWORD 'thepasswd' PROPERTIES USER 'ifxsurr'" | dbaccess any_database
The user will be created for the whole of instance.
Now you can find the user in the database sysuser as mapped user.
echo "SELECT * FROM sysusermap" | dbaccess sysuser
4 Grant permissions to user on the databases
For each database is needed to grant the users which will have access to the database with permissions: connect, resources, dba.
Assign the connect permission to this user for the database.
echo "GRANT CONNECT TO user_sample" | dbaccess the_database
At the referred database you can check the user with the permission type.
echo "SELECT * FROM sysusers WHERE username = 'user_sample'" | dbaccess the_database
5 Modify the password of mapped user
To modify the password you can use the following sentences:
ALTER USER 'user_sample' DROP PASSWORD; ALTER USER 'user_sample' ADD PASSWORD 'thepasswd';