DB2 10.5 for Linux, UNIX, and Windows

LDAP-based authentication and group lookup support

The DB2® database manager and DB2 Connect™ support LDAP-based authentication and group lookup functionality through the use of LDAP security plug-in modules and also through transparent LDAP

LDAP-based authentication support has been enhanced on the AIX® operating system. Starting with DB2 V9.7 Fix Pack 1, transparent LDAP support has also been extended to the Linux, HP-UX and Solaris operating systems at the same version levels that the DB2 product supports. LDAP now enables central management of user authentication and group membership using transparent LDAP authentication. You can configure DB2 instances to authenticate users and acquire their groups through the operating system. The operating system will, in turn, perform the authentication through an LDAP server. To enable transparent LDAP authentication, set the DB2AUTH miscellaneous registry variable to OSAUTHDB. Supported operating systems are:
Another option for implementing LDAP-based authentication is through the use of LDAP security plug-ins. LDAP security plug-in modules allow the DB2 database manager to authenticate users defined in an LDAP directory, removing the requirement that users and groups be defined to the operating system at the same version levels that the DB2 product supports. Supported operating systems are:
Supported LDAP servers for use with security plug-in modules are:
Note: When you use the LDAP plug-in modules, all users associated with the database must be defined on the LDAP server. This includes both the DB2 instance owner ID as well as the fenced user. (These users are typically defined in the operating system, but must also be defined in LDAP.) Similarly, if you use the LDAP group plug-in module, any groups required for authorization must be defined on the LDAP server. This includes the SYSADM, SYSMAINT, SYSCTRL and SYSMON groups defined in the database manager configuration.

DB2 security plug-in modules are available for server-side authentication, client-side authentication and group lookup, described later. Depending on your specific environment, you may need to use one, two or all three types of plug-in.

To use DB2 security plug-in modules, follow these steps:
  1. Decide if you need server, client, or group plug-in modules, or a combination of these modules.
  2. Configure the plug-in modules by setting values in the IBM LDAP security plug-in configuration file (default name is IBMLDAPSecurity.ini). You will need to consult with your LDAP administrator to determine appropriate values.
  3. Enable the plug-in modules
  4. Test connecting with various LDAP User IDs.

Server authentication plugin

The server authentication plug-in module performs server validation of user IDs and passwords supplied by clients on CONNECT and ATTACH statements. It also provides a way to map LDAP user IDs to DB2 authorization IDs, if required. The server plug-in module is generally required if you want users to authenticate to the DB2 database manager using their LDAP user ID and password.

Client authentication plug-in

The client authentication plug-in module is used where user ID and password validation occurs on the client system; that is, where the DB2 server is configured with SRVCON_AUTH or AUTHENTICATION settings of CLIENT. The client validates any user IDs and passwords supplied on CONNECT or ATTACH statements, and sends the user ID to the DB2 server. Note that CLIENT authentication is difficult to secure, and not generally recommended.

The client authentication plug-in module may also be required if the local operating system user IDs on the database server are different from the DB2 authorization IDs associated with those users. You can use the client-side plugin to map local operating system user IDs to DB2 authorization IDs before performing authorization checks for local commands on the database server, such as for:db2start.

Group lookup plug-in

The group lookup plug-in module retrieves group membership information from the LDAP server for a particular user. It is required if you want to use LDAP to store your group definitions. The most common scenario is where:
  • All users and groups are defined in the LDAP server
  • Any users defined locally on the database server are also defined with the same user ID on the LDAP server (including the instance owner and the fenced user)
  • Password validation occurs on the DB2 server (that is, an AUTHENTICATION or SRVCON_AUTH value of SERVER, SERVER_ENCRYPT or DATA_ENCRYPT is set in the server DBM config file).
It is generally sufficient to install only the server authentication plug-in module and the group lookup plug-in module on the server. DB2 clients typically do not need to have the LDAP plug-in module installed.

It is possible to use only the LDAP group lookup plug-in module in combination with some other form of authentication plug-in (such as Kerberos). In this case, the LDAP group lookup plug-in module will be provided the DB2 authorization IDs associated with a user. The plug-in module searches the LDAP directory for a user with a matching AUTHID_ATTRIBUTE, then retrieves the groups associated with that user object.