After the LDAP security plug-ins have been configured in a DB2® instance, a user can connect to the databases using a variety of different user strings.
cn=John Smith, ou=Sales, o=WidgetCorp
A user's user ID is defined by an attribute associated with the user object (typically the uid attribute). It may be a simple string (such as jsmith), or look like an email address (such as jsmith@sales.widgetcorp.com), that reflects part of the organizational hierarchy.
A user's DB2 authorization ID is the name associated with that user within the DB2 database.
In the past, users were typically defined in the server's host operating system, and the user ID and authorization ID were the same (though the authorization ID is usually in uppercase). The DB2 LDAP plug-in modules give you the ability to associate different attributes of the LDAP user object with the user ID and the authorization ID. In most cases, the user ID and authorization ID can be the same string, and you can use the same attribute name for both the USERID_ATTRIBUTE and the AUTHID_ATTRIBUTE. However, if in your environment the user ID attribute typically contains extra information that you do not want to carry over to the authorization ID, you can configure a different AUTHID_ATTRIBUTE in the plug-in initialization file. The value of the AUTHID_ATTRIBUTE attribute is retrieved from the server and used as the internal DB2 representation of the user.
db2 connect to MYDB user 'jsmith@sales.widgetcorp.com' using 'pswd'
But
internally, the DB2 database
manager refers to the user using the short name retrieved using the
AUTHID_ATTRIBUTE (jsmith in this case).connect to MYDB user 'cn=John Smith, ou=Sales, o=WidgetCorp'
connect to MYDB user 'cn=John Smith' connect to MYDB user uid=jsmith
connect to MYDB user jsmith
update dbm cfg using CLNT_PW_PLUGIN IBMLDAPauthclient
update dbm cfg using GROUP_PLUGIN IBMLDAPgroups
You must also update the LDAP plug-in configuration file, IBMLDAPSecurityt.ini.