DB2 10.5 for Linux, UNIX, and Windows

Authentication using an ordered domain list

User IDs may be defined more than once in a trusted domain forest. A trusted domain forest is a collection of domains that are interrelated through a network.

About this task

It is possible for a user on one domain to have the same user ID as that for another user on a different domain. This may cause difficulties when attempting to do any of the following actions:

Authenticating multiple users having the same user ID but on different domains.
Group lookup for the purposes of granting and revoking privileges based on groups.
Validation of passwords.
Control of network traffic.

To prevent difficulties arising from the possibility of multiple users with the same user ID across a domain forest, you should use an ordered domain list as defined using the db2set and the registry variable DB2DOMAINLIST. When setting the order, the domains to be included in the list are separated by a comma. You must make a conscious decision regarding the order that the domains are searched when authenticating users.

Those user IDs that are present on domains further down the domain list will have to be renamed by you if they are to be authenticated for access.

Control of access can be done through the domain list. For example, if the domain of a user is not in the list, the user will not be allowed to connect.

Note: The DB2DOMAINLIST registry variable is effective only when CLIENT authentication is set in the database manager configuration and is needed if a single signon from a Windows desktop is required in a Windows domain environment. DB2DOMAINLIST is supported by some versions of DB2® servers however DB2DOMAINLIST will not be enforced if neither the client nor the server are in a Windows environment.