DB2 10.5 for Linux, UNIX, and Windows

Security plug-in support for two-part user IDs

The DB2® database manager on Windows supports the use of two-part user IDs, and the mapping of two-part user IDs to two-part authorization IDs.

For example, consider a Windows operating system two-part user ID composed of a domain and user ID such as: MEDWAY\pieter. In this example, MEDWAY is a domain and pieter is the user name. In DB2 database systems, you can specify whether this two-part user ID should be mapped to either a one-part authorization ID or a two-part authorization ID.

The mapping of a two-part user ID to a two-part authorization ID is supported, but is not the default behavior. By default, both one-part user IDs and two-part user IDs map to one-part authorization IDs. The mapping of a two-part user ID to a two-part authorization ID is supported, but is not the default behavior.

The default mapping of a two-part user ID to a one-part user ID allows a user to connect to the database using: 
db2 connect to db user MEDWAY\pieter using pw
In this situation, if the default behavior is used, the user ID MEDWAY\pieter is resolved to the authorization ID PIETER. If the support for mapping a two-part user ID to a two-part authorization ID is enabled, the authorization ID would be MEDWAY\PIETER.
To enable DB2 to map two-part user IDs to two-part authorization IDs, DB2 supplies two sets of authentication plug-ins:

If a user name in your work environment can be mapped to multiple accounts defined in different locations (such as local account, domain account, and trusted domain accounts), you can specify the plug-ins that enable two-part authorization ID mapping.

It is important to note that a one-part authorization ID, such as, PIETER and a two-part authorization ID that combines a domain and a user ID like MEDWAY\pieter are functionally distinct authorization IDs. The set of privileges associated with one of these authorization IDs can be completely distinct from the set of privileges associated with the other authorization ID. Care should be taken when working with one-part and two-part authorization IDs.

The following table identifies the kinds of plug-ins supplied by DB2 database systems, and the plug-in names for the specific authentication implementations.
Table 1. DB2 security plug-ins
Authentication type Name of one-part user ID plug-in Name of two-part user ID plug-in
User ID/password (client) IBMOSauthclient IBMOSauthclientTwoPart
User ID/password (server) IBMOSauthserver IBMOSauthserverTwoPart
Kerberos IBMkrb5 IBMkrb5TwoPart
Note: On Windows 64-bit platforms, the characters "64" are appended to the plug-in names listed here.

When you specify an authentication type that requires a user ID/password or Kerberos plug-in, the plug-ins that are listed in the "Name of one-part user ID plug-in" column in the previous table are used by default.

To map a two-part user ID to a two-part authorization ID, you must specify that the two-part plug-in, which is not the default plug-in, be used. Security plug-ins are specified at the instance level by setting the security related database manager configuration parameters as follows:

For server authentication that maps two-part user IDs to two-part authorization IDs, you must set:
For client authentication that maps two-part user IDs to two-part authorization IDs, you must set:
For Kerberos authentication that maps two-part user IDs to two-part authorization IDs, you must set:

The security plug-in libraries accept two-part user IDs specified in a Microsoft Windows Security Account Manager compatible format. For example, in the format: domain\user ID. Both the domain and user ID information will be used by the DB2 authentication and authorization processes at connection time.

You should consider implementing the two-part plug-ins when creating new databases to avoid conflicts with one-part authorization IDs in existing databases. New databases that use two-part authorization IDs must be created in a separate instance from databases that use single-part authorization IDs.

Related concepts:
DB2 and Windows security introduction
Related tasks:
Authentication with groups and domain security ( Windows)
Related reference:
clnt_krb_plugin - Client Kerberos plug-in configuration parameter
clnt_pw_plugin - Client userid-password plug-in configuration parameter
srvcon_gssplugin_list - List of GSS API plug-ins for incoming connections at the server configuration parameter
srvcon_pw_plugin - Userid-password plug-in for incoming connections at the server configuration parameter
Related information:
Domain security support ( Windows)