Configuring transparent LDAP for authentication and group lookup (AIX)

Starting in DB2® V9.7, transparent LDAP-based authentication and group look up are supported on the AIX® operating system. Some configuration steps are required before this support is enabled.

1. To configure your AIX client system for LDAP, perform the following steps:
   1. Log in as a user with root authority.
   2. Ensure that the LDAP client file set has been installed on your AIX system. AIX works with all versions of LDAP clients: ITDS V6.1 which ships with AIX V6.1, and ITDS V6.2 which ships with the AIX expansion pack. The following shows ITDS V5.2 file sets installed on and AIX system:

      $ lslpp -l "ldap*"
        Fileset                      Level  State      Description         
        ----------------------------------------------------------------------------
      Path: /usr/lib/objrepos
        ldap.client.adt            5.2.0.0  COMMITTED  Directory Client SDK
        ldap.client.rte            5.2.0.0  COMMITTED  Directory Client Runtime (No
                                                       SSL)
        ldap.html.en_US.config     5.2.0.0  COMMITTED  Directory Install/Config
                                                       Gd-U.S. English
        ldap.html.en_US.man        5.2.0.0  COMMITTED  Directory Man Pages - U.S.
                                                       English
        ldap.msg.en_US             5.2.0.0  COMMITTED  Directory Messages - U.S.
                                                       English
      
      Path: /etc/objrepos
        ldap.client.rte            5.2.0.0  COMMITTED  Directory Client Runtime (No
                                                       SSL)

   3. Using the mksecldap command with the -c option, configure the client. For more information about the mksecldap command and how to use it to configure the client, see http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/setup_ldap_sec_info_server.htm
   4. Update default stanza in the /etc/security/user file.

      Once you are certain that LDAP is configured properly and that you have populated the LDAP directory with users, you must set the default user to use LDAP. This will ensure that you can log in to the AIX client with any user in the LDAP directory that is not restricted.

      The SYSTEM and REGISTRY attributes in the /etc/security/user file are used to specify the authentication method and the database used for user management. To enable LDAP authentication and user management, set the SYSTEM and REGISTRY attributes in the default stanza to LDAP. For example:

      chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files"
      chsec -f /etc/security/user -s default -a "REGISTRY=LDAP"

      DB2 supports the following SYSTEM attributes:

      • LDAP
      • files
      DB2 supports the following REGISTRY attributes:

      • LDAP
      • KRB5LDAP
      • KRB5ALDAP
      • files
      • KRB5files
      • KRB5Afiles

      Configurations that use other SYSTEM or REGISTRY attributes might work, but are not supported.

      For more details on the stanza SYSTEM and REGISTRY attributes, refer to http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.files/doc/aixfiles/user.htm?.

   For more details, refer to the redbook titled, Integrating AIX into Heterogeneous LDAP Environments, at: http://www.redbooks.ibm.com/abstracts/sg247165.html
2. To configure transparent LDAP authentication on your DB2 instance:
   1. Set the DB2AUTH miscellaneous registry variable to OSAUTHDB. As a user with SYSADM authority run db2set DB2AUTH=OSAUTHDB.
   2. Using the UPDATE DBM CFG command, set the authentication on the database server instance to any one of the following:
      • SERVER
      • SERVER_ENCRYPT
      • DATA_ENCRYPT
   3. Ensure that you are using the default Client Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin).
   4. Restart the DB2 instance.