DB2 10.5 for Linux, UNIX, and Windows

Configuring transparent LDAP for authentication and group lookup (HP-UX)

Starting in DB2® V9.7 Fix Pack 1 and later, to ensure your DB2 database server transparently uses LDAP-based authentication on the HP-UX operating system, you need to use Pluggable Authentication Modules (PAM). Your LDAP server should already be configured to store user and group information.

Before you begin

This procedure assumes that the LDAP server is RFC 2307 compliant.

Procedure

If you are using IBM® Tivoli® Directory Server (ITDS) Version 6.1, set up the LDAP server before the HP-UX system can connect to it. To configure your LDAP server on the HP-UX operating system, perform the following steps:
1. Log in on the LDAP server as a user with root authority.
2. Issue the idsldapadd command:
```
idsldapadd -D <root> -w <password> -h <hostname> -p <port> -c -i duaconfigschema.ldif

where,
<root> - the bind dn to bind to LDAP
<password> - the password for bind dn
<hostname> - hostname of the LDAP server
<port> - the port LDAP server is running. Default is 389
<schema.ldif> - LDIF file contains DUAConfigProfle Schema
```
  The object class listed in the duaconfigschema.ldif is added to the LDAP server automatically using the LDAP-UX setup program if either Netscape or Red Hat Directory Servers are employed. However, if ITDS is used the object class must be added manually before running the LDAP-UX setup program on the HP-UX Client.
To configure your operating system for LDAP and PAM, perform the following steps:
1. Log in as a user with root authority.
2. Install LDAP-UX Client Service and run the LDAP-UX setup program. The following screen will appear:
```
[ctrl-B]=Go Back screen 2
Hewlett-Packard Company
LDAP-UX Client Services Setup Program
------------------------------------------------------------------------
Select which Directory Server you want to connect to:
1. Netscape or Red Hat Directory
2. Windows Active Directory
To accept the default shown in brackets, press the Return key.
Directory Server: [1]:
```
  Select option 1, as though you are connecting to the Netscape or Red Hat Directory Server and follow the instructions.
  For details on installing LDAP-UX, refer to the LDAP-UX Client Services B.04.15 Administrator's Guide.
3. Edit the PAM configuration file at /etc/pam.conf. Add the following text to the file:
```
db2 auth required		     libpam_hpsec.so.1
db2 auth sufficient                  libpam_unix.so.1
db2 auth required		     libpam_ldap.so.1 use_first_pass 
```
  The previous configuration first checks the userid and password against the local file system. It will only conduct a LDAP lookup if the user is not found or if authentication with local file system fails.
  
  DB2 supports PAM configurations that use libpam_ldap.so and libpam_unix.so. Configurations that use other PAM modules might work, but are not supported.
4. Setup your HP-UX system to perform group lookup through LDAP. Find the group and passwd entries in /etc/nsswitch.conf file and ensure ldap is entered as a lookup method. Here is an example of the group and passwd entry:
```
group:          files ldap
passwd:         files ldap
```
To configure your DB2 instance to use transparent LDAP authentication, perform the following steps:
1. Set the DB2AUTH miscellaneous registry variable to OSAUTHDB. Issue the following command as a user with SYSADM authority:
```
db2set DB2AUTH=OSAUTHDB
```
2. Using the UPDATE DBM CFG command, set the authentication on the database server instance to any one of the following:
  - SERVER
  - SERVER_ENCRYPT
  - DATA_ENCRYPT
  - CLIENT
3. Ensure that you are using the default empty values for Client Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin). The default plug-ins are IBMOSauthclient, IBMOSauthserver and IBMOSgroups, and those plug-ins are implied if you leave the values for the plug-in name empty.
4. Restart the DB2 instance.
Note: IBMLDAPSecurity.iniis not used by transparent LDAP. This file is used only with LDAP plug-in modules.