Configuring transparent LDAP for authentication and group lookup (Linux)
To ensure that the Db2® database server transparently uses LDAP-based authentication on the Linux® operating system, use Pluggable Authentication Modules (PAM). Your LDAP server should already be configured to store user and group information.
Before you begin
- An RFC 2307 compliant LDAP server is set up on your system.
- The required client software packages and dependencies are installed on your system.
- For
RHEL 7 systems, run the following
command:
yum install openldap openldap-clients sssd sssd-client authconfig
- For RHEL 8 systems, run the following
command:
yum install openldap openldap-clients sssd sssd-client authselect
- For SUSE Linux Enterprise Server (SLES) 12 or 15 systems, run the following
command:
zypper install sssd-ldap sssd
- For Ubuntu systems, run the following
command:
apt install sssd-ldap ldap-utils
- For
RHEL 7 systems, run the following
command:
About this task
The procedure configures the System Security Services Daemon (SSSD) and its associated PAM module (pam_sss) to provide authentication services to the operating system and Db2. Using SSSD is the recommended configuration.
Configurations that use pam_ldap, pam_unix, pam_unix2, and pam_krb5 for authentication are also supported by Db2. Configurations using other PAM modules might work, but are unsupported. If the desired authentication method is already configured on the system, go to Db2 Authentication Configuration.
- Hostname of the LDAP server
- Port of the LDAP server (default for full time TLS is 636, if StartTLS is supported, the default is 389)
- LDAP search base DN
- The root certificate, or the URL to the root certificate, for the LDAP server.
- If authentication is required, the Bind DN and password
Item | Value |
---|---|
Hostname | ldap.example.com |
Port | 636 (Default for LDAP over TLS) |
TLS enabled | Yes |
TLS certificate URL | http://example.com/cacombined.pem |
LDAP search base DN | ou=Anytown, o=example.com |
Authentication | Not required |
Procedure
- Enable system LDAP authentication through SSSD. If the desired authentication method has already been configured on the system, go to step 2.
- Configure Db2 to use Pluggable Authentication Modules (PAM), also known as Transparent LDAP, to authenticate with the operating system.
- Optional: Configure any additional authentication options.