The DB2® database
manager and DB2 Connect™ support
LDAP-based authentication and group lookup functionality through the
use of LDAP security plug-in modules and also through transparent
LDAP
LDAP-based authentication support
has been enhanced on the AIX® operating
system. Starting with DB2 V9.7
Fix Pack 1, transparent LDAP support has also been extended to the Linux,
HP-UX and Solaris operating systems at the same version levels that
the DB2 product supports. LDAP
now enables central management of user authentication and group membership
using transparent LDAP authentication. You can configure DB2 instances to authenticate users and acquire
their groups through the operating system. The operating system will,
in turn, perform the authentication through an LDAP server. To enable
transparent LDAP authentication, set the
DB2AUTH miscellaneous
registry variable to
OSAUTHDB. Supported operating
systems are:
Another option for implementing LDAP-based authentication is through
the use of LDAP security plug-ins. LDAP security plug-in modules allow
the DB2 database manager to
authenticate users defined in an LDAP directory, removing the requirement
that users and groups be defined to the operating system at the same
version levels that the DB2 product
supports. Supported operating systems are:
- AIX
- HP-UX on Itanium-based HP Integrity Series systems (IA-64)
- Linux on IA32, x64, or zSeries hardware
- Solaris
- Windows
Supported LDAP servers for use with security plug-in modules are:
- IBM® Lotus® Domino® LDAP
Server, Version 8.0, and later
- IBM Tivoli® Directory Server (ITDS) Version 6.2
(with GSKit 7.0.4.20 and later), and later
- Microsoft Active Directory (MSAD) Version
2008, and later
- Novell eDirectory, Version 8.8, and later
- OpenLDAP server, Version 2.4, and later
- Sun Java™ System Directory
Server Enterprise Edition, Version 5.2 FP4, and later
- z/OS® Integrated Security
Services LDAP Server Version V1R6, and later
Note: When you use the LDAP plug-in modules, all users associated with
the database must be defined on the LDAP server. This includes both
the DB2 instance owner ID as
well as the fenced user. (These users are typically defined in the
operating system, but must also be defined in LDAP.) Similarly, if
you use the LDAP group plug-in module, any groups required for authorization
must be defined on the LDAP server. This includes the SYSADM, SYSMAINT,
SYSCTRL and SYSMON groups defined in the database manager configuration.
DB2 security plug-in modules
are available for server-side authentication, client-side authentication
and group lookup, described later. Depending on your specific environment,
you may need to use one, two or all three types of plug-in.
To use DB2 security plug-in
modules, follow these steps:
- Decide if you need server, client, or group plug-in modules, or
a combination of these modules.
- Configure the plug-in modules by setting values in the IBM LDAP security plug-in configuration
file (default name is IBMLDAPSecurity.ini). You
will need to consult with your LDAP administrator to determine appropriate
values.
- Enable the plug-in modules
- Test connecting with various LDAP User IDs.
Server authentication plugin
The server
authentication plug-in module performs server validation of user IDs
and passwords supplied by clients on CONNECT and ATTACH statements.
It also provides a way to map LDAP user IDs to DB2 authorization IDs, if required. The server
plug-in module is generally required if you want users to authenticate
to the DB2 database manager
using their LDAP user ID and password.
Client authentication plug-in
The client
authentication plug-in module is used where user ID and password validation
occurs on the client system; that is, where the DB2 server is configured with SRVCON_AUTH or
AUTHENTICATION settings of CLIENT. The client validates any user IDs
and passwords supplied on CONNECT or ATTACH statements, and sends
the user ID to the DB2 server.
Note that CLIENT authentication is difficult to secure, and not generally
recommended.
The client authentication plug-in module may also
be required if the local operating system user IDs on the database
server are different from the DB2 authorization
IDs associated with those users. You can use the client-side plugin
to map local operating system user IDs to DB2 authorization IDs before performing authorization
checks for local commands on the database server, such as for:db2start.
Group lookup plug-in
The group lookup plug-in
module retrieves group membership information from the LDAP server
for a particular user. It is required if you want to use LDAP to store
your group definitions. The most common scenario is where:
- All users and groups are defined in the LDAP server
- Any users defined locally on the database server are also defined
with the same user ID on the LDAP server (including the instance owner
and the fenced user)
- Password validation occurs on the DB2 server
(that is, an AUTHENTICATION or SRVCON_AUTH value of SERVER, SERVER_ENCRYPT
or DATA_ENCRYPT is set in the server DBM config file).
It is generally sufficient to install only the server authentication
plug-in module and the group lookup plug-in module on the server. DB2 clients typically do not need
to have the LDAP plug-in module installed.
It is possible to
use only the LDAP group lookup plug-in module in combination with
some other form of authentication plug-in (such as Kerberos). In this
case, the LDAP group lookup plug-in module will be provided the DB2 authorization IDs associated
with a user. The plug-in module searches the LDAP directory for a
user with a matching AUTHID_ATTRIBUTE, then retrieves the groups associated
with that user object.