Starting in DB2® V9.7
Fix Pack 1 and later, to ensure the DB2 database
server transparently uses LDAP-based authentication on the Linux operating system, use Pluggable
Authentication Modules (PAM). Your LDAP server should already be configured
to store user and group information.
Before you begin
To enable support for transparent LDAP on the DB2 database, complete the following tasks:
- Configure your operating system to authenticate users using PAM
- Configure your DB2 instance
The steps assume that the LDAP server is RFC 2307 compliant.
Procedure
- To configure your operating system for LDAP and PAM, perform
the following steps:
- Log in as a user with root authority.
- Ensure that the nss_ldap and pam_ldap packages
are installed. These two packages appear as libnss_ldap.so and libpam_ldap.so in
the /lib(64) or /usr/lib(64) directories.
- Set up your operating system to act as a LDAP client
machine by modifying the /etc/ldap.conf file
to enable the operating system to bind with a LDAP server. Here's a sample /etc/ldap.conf file:
host <host> # Address of ldap server
base <base> # The DN of the search base.
rootbinddn <binddn> # The bind DN to bind to LDAP
ldap_version 3 # LDAP version
pam_login_attribute uid # user ID attribute for pam user lookups
nss_base_group <group> # nsswitch configuration pertaining to group search lookup
- Set your password in the /etc/ldap.secret file.
Only the root user should be able to read or write to this file.
- Create
or modify the PAM configuration file at /etc/pam.d/db2.
The file should be only be readable and writable by root. You might
have to modify the configuration file, depending on the version of
the operating system that is being used. Here is a sample configuration
file for SUSE Linux Enterprise Server 10:
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass
account sufficient pam_unix2.so
account required pam_ldap.so
password required pam_pwcheck.so
password sufficient pam_unix2.so use_authtok use_first_pass
password required pam_ldap.so use_first_pass
session required pam_unix2.so
For Red Hat Enterprise Linux 5, modify the configuration
file as follows:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3 dcredit=-1 ucredit=-1
password sufficient pam_unix.so nullok use_authtok md5 shadowremember=3
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
DB2
supports PAM configurations that use pam_ldap.so, pam_unix.so,
and pam_unix2.so. Configurations that use other
PAM modules might work, but are not supported.
- Setup your Linux system
to perform group lookup through LDAP. Find the group and passwd entries
in /etc/nsswitch.conf file and ensure ldap is
entered as a lookup method. Here is an example of the group and passwd entry:
group: files ldap
passwd: files ldap
- To configure transparent LDAP authentication on your DB2 instance:
- Set the DB2AUTH miscellaneous registry
variable to OSAUTHDB. As a user with SYSADM authority
run db2set DB2AUTH=OSAUTHDB.
- Using the UPDATE DBM CFG command,
set the authentication on the database server instance to any one
of the following:
- SERVER
- SERVER_ENCRYPT
- DATA_ENCRYPT
- CLIENT
- Ensure that you are using the default empty values for Client
Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password
Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin).
The default plug-ins are IBMOSauthclb ient, IBMOSauthserver and IBMOSgroups,
and those plug-ins are implied if you leave the values for the plug-in
name empty.
- Restart the DB2 instance.
Note: IBMLDAPSecurity.ini is not used by
transparent LDAP. This file is used only with LDAP plug-in modules.