To configure the LDAP plug-in modules, you need to update
your IBM® LDAP security plug-in
configuration file to suit your environment. In most cases, you will
need to consult with your LDAP administrator to determine the appropriate
configuration values.
The default name and location for the IBM LDAP security plug-in configuration file
is:
- On UNIX: INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
- On Windows: %DB2PATH%\cfg\IBMLDAPSecurity.ini
Optionally, you can specify the location of this file using the
DB2LDAPSecurityConfig environment variable. On Windows, you should set DB2LDAPSecurityConfig
in the global system environment, to ensure it is picked up by the DB2® service.
The following tables provide information to help you determine
appropriate configuration values.
Table 1. Server-related
valuesParameter |
Description |
LDAP_HOST |
The name of your LDAP server(s).
This is a space separated list of LDAP server host names
or IP addresses, with an optional port number for each one.
For example: host1[:port] [host2:[port2] ... ]
The default port number is 389, or 636 if SSL is enabled.
|
ENABLE_SSL |
To enable SSL support, set ENABLE_SSL to TRUE (you must have
the GSKit installed). This is an optional parameter; it defaults to
FALSE (no SSL support).
|
SSL_KEYFILE |
The path for the SSL keyring.
A keyfile is only required if your LDAP server is using a
certificate that is not automatically trusted by your GSKit
installation.
For example:SSL_KEYFILE = /home/db2inst1/IBMLDAPSecurity.kdb
|
SSL_PW |
The SSL keyring password. For example: SSL_PW
= keyfile-password |
SECURITY_PROTOCOL |
To enable TLS 1.2 support, set SECURITY_PROTOCOL to TLSV12.
To enable TLS 1.0, 1.1, and 1.2 support, set SECURITY_PROTOCOL to ALL.
By default, SECURITY_PROTOCOL is not set. This setting means TLS 1.2 is not supported.
|
Table 2. User-related valuesParameter |
Description |
USER_
OBJECTCLASS
|
The LDAP object class used for users.
Generally, set USER_OBJECTCLASS to inetOrgPerson (the user
for Microsoft Active Directory)
For example: USER_OBJECTCLASS = inetOrgPerson
|
USER_BASEDN |
The LDAP base DN to use when searching for users.
If not specified, user searches start at the root of the
LDAP directory. Some LDAP servers require that you
specify a value for this parameter.
For example: USER_BASEDN = o=ibm
|
USERID_
ATTRIBUTE
|
The LDAP user attribute that represents the user ID.
The USERID_ATTRIBUTE attribute is combined with the
USER_OBJECTCLASS and USER_BASEDN (if specified)
to construct an LDAP search filter when a user issues a
DB2 CONNECT statement with an unqualified user ID.
For example, if USERID_ATTRIBUTE = uid, then issuing
this statement:
db2 connect to MYDB user bob using bobpass
results in the following search filter:
&(objectClass=inetOrgPerson)(uid=bob)
|
AUTHID_
ATTRIBUTE
|
The LDAP user attribute that represents the DB2 authorization ID.
Usually this is the same as the USERID_ATTRIBUTE.
For example: AUTHID_ATTRIBUTE = uid
|
Table 3. Group-related valuesParameter |
Description |
GROUP_
OBJECTCLASS
|
The LDAP object class used for groups.
Generally this is groupOfNames or groupOfUniqueNames
(for Microsoft Active Directory, it is group)
For example: GROUP_OBJECTCLASS = groupOfNames
|
GROUP_BASEDN |
The LDAP base DN to use when searching for groups
If not specified, group searches start at the root of the
LDAP directory. Some LDAP servers require that you
specify a value for this parameter.
For example: GROUP_BASEDN = o=ibm
|
GROUPNAME_
ATTRIBUTE
|
The LDAP group attribute that represents the name of the
group.
For example: GROUPNAME_ATTRIBUTE = cn
|
GROUP_LOOKUP_
METHOD
|
Determines the method used to find the group
memberships for a user. Possible values are:- SEARCH_BY_DN Indicates to search for groups that list the user
as a member. Membership is indicated by the group attribute defined
as GROUP_LOOKUP_ATTRIBUTE (typically, member or uniqueMember).
- USER_ATTRIBUTE In this case, a user's groups are listed as attributes
of the user object itself. This setting indicates to search for the
user attribute defined as GROUP_LOOKUP_ATTRIBUTE to get the user's
groups (typically memberOf for Microsoft Active Directory or ibm-allGroups for IBM Tivoli® Directory
Server).
For example:GROUP_LOOKUP_METHOD = SEARCH_BY_DN
GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
|
GROUP_LOOKUP_
ATTRIBUTE
|
Name of the attribute used to determine group
membership, as described for GROUP_LOOKUP_METHOD. For example:
GROUP_LOOKUP_ATTRIBUTE = member
GROUP_LOOKUP_ATTRIBUTE = ibm-allGroups
|
NESTED_GROUPS |
If NESTED_GROUPS is TRUE, the DB2 database manager recursively searches for
group membership by attempting to look up the group memberships for
every group that is found. Cycles (such as A belongs to B, and B belongs to A) are
handled correctly.
This parameter is optional, and defaults to FALSE.
|
Table 4. Miscellaneous valuesParameter |
Description |
SEARCH_DN, SEARCH_PW |
If your LDAP server does not support anonymous
access, or if anonymous access is not sufficient when searching for
users or groups, then you can optionally define a DN and password
that will be used to perform searches. For example:
SEARCH_DN = cn=root
SEARCH_PW = rootpassword
|
DEBUG |
Set DEBUG to TRUE to write extra information
to the db2diag log files to aid
in debugging LDAP related issues. Most of the additional information is logged at
DIAGLEVEL 4 (INFO).
DEBUG defaults to false.
|