DB2 10.5 for Linux, UNIX, and Windows

Configuring transparent LDAP for authentication and group lookup (Solaris)

Starting in DB2® V9.7 Fix Pack 1 and later, to ensure your DB2 database server transparently uses LDAP-based authentication on the Solaris operating system, you need to use Pluggable Authentication Modules (PAM). Your LDAP server should already be configured to store user and group information.

Before you begin

This procedure assumes that the LDAP server is RFC 2307 compliant.

About this task

This task describes the steps that re applicable to Solaris 10. The instructions might vary slightly for other version of Solaris operating systems.

Procedure

  1. Configure your operating system for LDAP and PAM by performing the following steps:
    1. Log in as a user with root authority.
    2. Ensure that the nss_ldap and pam_ldap packages are installed. These two packages appear as nss_ldap.so and pam_ldap.so in /usr/lib and /usr/lib/security directories.
    3. Setup your operating system to act as a LDAP client machine. The ldapclient(1M) interface can be used to issue the ldapclient command. Here is the sample output: 
      ldapclient manual -a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=<root> \
-a proxyPassword=<password> \ 
-a defaultSearchBase=<base> \
-a serviceSearchDescriptor=group:<group> \
-a domainName=<domain> \
-a defaultServerList=<IP>
      where,
      <root>
      the bind dn to bind to LDAP. This is the dn of the user entry in the LDAP server that is permitted to search the LDAP server for user accounts and groups
      <password>
      the password for bind dn
      <base>
      the dn for the search base. This should be one level above the user and group entry
      <group>
      the base dn for where the group information is stored
      <domain>
      the domain name for the LDAP server
      <IP>
      the IP address for the LDAP server
      For more information, refer to the ldapclient(1M) manual.
    4. Edit the PAM configuration file at /etc/pam.conf. Add the following text to the file: 
      db2 auth requisite          pam_authtok_get.so.1
db2 auth required           pam_unix_cred.so.1
db2 auth sufficient         pam_unix_auth.so.1
db2 auth required           pam_ldap.so.1

      The previous configuration first checks the userid and password against the local file system. It will only conduct a LDAP lookup if the user is not found or if authentication with local file system fails.

      DB2 supports PAM configurations that use pam_ldap.so and pam_unix_auth.so. Configurations that use other PAM modules might work, but are not supported.

    5. Setup your Solaris system to perform group lookup through LDAP. Find the group and passwd entries in /etc/nsswitch.conf file and ensure ldap is entered as a lookup method. Here is an example of the group and passwd entry:
      group:          files ldap
passwd:         files ldap
  2. Configure your DB2 instance to use transparent LDAP authentication by performing the following steps:
    1. Set the DB2AUTH miscellaneous registry variable to OSAUTHDB. Issue the following command as a user with SYSADM authority:
      db2set DB2AUTH=OSAUTHDB
    2. Set the authentication on the server to any one of the following:
      • SERVER
      • SERVER_ENCRYPT
      • DATA_ENCRYPT
    3. Ensure that you are using the default Client Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin).
    4. Restart the DB2 instance.
    Note: IBMLDAPSecurity.ini is not used by transparent LDAP. This file is used only with LDAP plug-in modules.