Starting in DB2® V9.7
Fix Pack 1 and later, to ensure your DB2 database
server transparently uses LDAP-based authentication on the HP-UX operating
system, you need to use Pluggable Authentication Modules (PAM). Your
LDAP server should already be configured to store user and group information.
Before you begin
This procedure assumes that the LDAP server is RFC 2307
compliant.
Procedure
- If you are using IBM® Tivoli® Directory Server (ITDS)
Version 6.1, set up the LDAP server before the HP-UX system can connect
to it. To configure your LDAP server on the HP-UX operating system,
perform the following steps:
- Log in on the LDAP server as a user with root authority.
- Issue the idsldapadd command:
idsldapadd -D <root> -w <password> -h <hostname> -p <port> -c -i duaconfigschema.ldif
where,
<root> - the bind dn to bind to LDAP
<password> - the password for bind dn
<hostname> - hostname of the LDAP server
<port> - the port LDAP server is running. Default is 389
<schema.ldif> - LDIF file contains DUAConfigProfle Schema
The
object class listed in the duaconfigschema.ldif is
added to the LDAP server automatically using the LDAP-UX setup program
if either Netscape or Red Hat Directory Servers are employed. However,
if ITDS is used the object class must be added manually before running
the LDAP-UX setup program on the HP-UX Client.
- To configure your operating system for LDAP and PAM, perform
the following steps:
- Log in as a user with root authority.
- Install LDAP-UX Client Service and
run the LDAP-UX setup program. The following screen
will appear:
[ctrl-B]=Go Back screen 2
Hewlett-Packard Company
LDAP-UX Client Services Setup Program
------------------------------------------------------------------------
Select which Directory Server you want to connect to:
1. Netscape or Red Hat Directory
2. Windows Active Directory
To accept the default shown in brackets, press the Return key.
Directory Server: [1]:
Select option 1, as though you are connecting
to the Netscape or Red Hat Directory Server and follow the instructions. For
details on installing LDAP-UX, refer to the LDAP-UX Client Services
B.04.15 Administrator's Guide.
- Edit the PAM configuration file at /etc/pam.conf.
Add the following text to the file:
db2 auth required libpam_hpsec.so.1
db2 auth sufficient libpam_unix.so.1
db2 auth required libpam_ldap.so.1 use_first_pass
The previous configuration first checks
the userid and password against the local file system. It will only
conduct a LDAP lookup if the user is not found or if authentication
with local file system fails.
DB2
supports PAM configurations that use libpam_ldap.so and libpam_unix.so.
Configurations that use other PAM modules might work, but are not
supported.
- Setup your HP-UX system to perform group lookup through
LDAP. Find the group and passwd entries
in /etc/nsswitch.conf file and ensure ldap is
entered as a lookup method. Here is an example of the group and passwd entry:
group: files ldap
passwd: files ldap
- To configure your DB2 instance
to use transparent LDAP authentication, perform the following steps:
- Set the DB2AUTH miscellaneous registry
variable to OSAUTHDB. Issue the following
command as a user with SYSADM authority:
db2set DB2AUTH=OSAUTHDB
- Using the UPDATE DBM CFG command, set the authentication on the
database server instance to any one of the following:
- SERVER
- SERVER_ENCRYPT
- DATA_ENCRYPT
- CLIENT
- Ensure that you are using the default empty
values for Client Userid-Password Plugin (clnt_pw_plugin), Server
Userid-Password Plugin (srvcon_pw_plugin) and Group
Plugin (group_plugin). The default plug-ins are IBMOSauthclient, IBMOSauthserver and IBMOSgroups,
and those plug-ins are implied if you leave the values for the plug-in
name empty.
- Restart the DB2 instance.
Note: IBMLDAPSecurity.iniis not used by transparent
LDAP. This file is used only with LDAP plug-in modules.