To use IBM® Security Directory Server as a repository in your organization for identity and access management, you must configure a DB2® database with the directory server. A directory server stores a representation of the directory in a DB2 database.
To implement a directory representation, directory server uses database tables. You can use commands to list the database tables that are associated with a directory server. It is not necessary to access a directory server with DB2 commands, this information might be useful to database administrators.
The IBM Security Directory Server tables can be grouped into the following categories:
In the examples, the ldapdb2 DB2 database name is used. To view the table that is associated with the database, you must use the database instance owner credentials. For your environment, substitute the database instance owner and database name as per your configuration. You must switch the user context to the DB2 instance owner to run the commands. For example, to log in with the ldapdb2 DB2 instance owner credentials, run the following command:
su - ldapdb2
db2cmd
set DB2INSTANCE=ldapdb2
To connect to the database, run the following command:
db2 connect to ldapdb2
db2 describe table ldap_entry show detail
To
find the EID of a particular DN, run the following
command. The dn_trunc value must be in uppercase. db2 "select eid from ldap_entry where dn_trunc = 'CN=USER1,O=SAMPLE'"
To
find the DN entry name of a particular EID, run the
following command:db2 "select dn_trunc from ldap_entry where eid = 100"
To
find the LDIF definition of a particular DN, run the following command:db2 "select ENTRYDATA from dap_entry where dn_trunc = 'CN=USER1,O=SAMPLE'"
To
find the DN entries for the first 10 rows in the LDAP_ENTRY table,
run the following command:db2 "select dn_trunc from ldap_entry fetch first 10 rows only"
To
find the DN entries for the next 10 rows in the LDAP_ENTRY table,
run the following command:db2 "select dn_trunc from ldap_entry where eid > 10 fetch first 10 rows only"
To find all LDAP suffixes, run the following command:db2 "select dn_trunc from ldap_entry where peid = -1"
To
find the DN entries of all the immediate child entries (one level
search) of the LDAP entry with DN O=SAMPLE, run the
following command:db2 "select dn_trunc from ldap_entry where peid in \
(select eid from ldap_entry where dn_trunc = 'O=SAMPLE')"
db2 "select * from ldap_desc where deid = 100"
DEID AEID
------ -------
100 11
100 17
100 23
100 24
100 100
The output indicates that the EID is
four levels deep in the directory information tree. db2 "select dn_trunc from ldap_entry where eid = 100"
DN_TRUNC
---------------------
CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
The
parent entries along with the entry that match the filter is generated.CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
OU=HRGROUP,OU=MYCITY,O=SAMPLE
OU=MYCITY,O=SAMPLE
O=SAMPLE
db2 "select * from ldap_desc where aeid in \
(select eid from ldap_entry where dn_trunc = \
'CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE')"
db2 "select * from ldap_desc where aeid in \
(select eid from ldap_entry where dn_trunc = \
'CN=USERS,O=SAMPLE')"
An example output: DEID AEID
-------- -----------
12 12
2000042 12
2000043 12
2000044 12
2000056 12
2000057 12
2000058 12
You can use the LDAP_GRP_DESC table
to track nested group relationships.db2 describe table cn
Column name Data type Data type Column Scale Nulls
schema name Length
-------------- ---------- ------------ ------- ----- ------
EID SYSIBM INTEGER 4 0 No
CN SYSIBM VARCHAR 256 0 No
CN_T SYSIBM VARCHAR 240 0 No
RCN_T SYSIBM VARCHAR 240 0 No
4 record(s) selected.
db2 describe table src
Column name Data type Data type name Column Scale Nulls
schema Length
-------------------- --------- ------------------- ---------- ----- ------
EID SYSIBM INTEGER 4 0 Yes
ACLSRC SYSIBM INTEGER 4 0 Yes
OWNSRC SYSIBM INTEGER 4 0 Yes
ACLTYPE SYSIBM INTEGER 4 0 Yes
4 record(s) selected.