The DB2® database
manager and DB2 Connect™ support LDAP-based authentication
and group lookup functionality through the use of LDAP security plug-in
modules and also through transparent LDAP
LDAP-based
authentication support has been enhanced on the AIX® operating
system. Starting with DB2 V9.7 Fix Pack 1, transparent
LDAP support has also been extended to the Linux,
HP-UX and Solaris operating systems at the same version levels that
the DB2 product supports. LDAP now enables central
management of user authentication and group membership using transparent
LDAP authentication. You can configure DB2 instances
to authenticate users and acquire their groups through the operating
system. The operating system will, in turn, perform the authentication
through an LDAP server. To enable transparent LDAP authentication,
set the
DB2AUTH miscellaneous registry variable
to
OSAUTHDB. Supported operating systems are:
Another option for implementing LDAP-based authentication is through
the use of LDAP security plug-ins. LDAP security plug-in modules allow
the DB2 database manager to authenticate users defined
in an LDAP directory, removing the requirement that users and groups
be defined to the operating system at the same version levels that
the DB2 product supports. Supported operating systems
are:
- AIX
- HP-UX on Itanium-based HP Integrity Series systems (IA-64)
- Linux on IA32, x64, or zSeries hardware
- Solaris
- Windows
Supported LDAP servers for use with security plug-in modules are:
- IBM® Lotus® Domino® LDAP
Server, Version 8.0, and later
- IBM Tivoli® Directory Server (ITDS)
Version 6.2 (with GSKit 7.0.4.20 and later), and later
- Microsoft Active Directory (MSAD) Version
2008, and later
- Novell eDirectory, Version 8.8, and later
- OpenLDAP server, Version 2.4, and later
- Sun Java™ System Directory Server Enterprise
Edition, Version 5.2 FP4, and later
- z/OS® Integrated Security Services LDAP Server
Version V1R6, and later
Note: When you use the LDAP plugin modules, all users associated with
the database must be defined on the LDAP server. This includes both
the DB2 instance owner ID as well as the fenced user.
(These users are typically defined in the operating system, but must
also be defined in LDAP.) Similarly, if you use the LDAP group plug-in
module, any groups required for authorization must be defined on the
LDAP server. This includes the SYSADM, SYSMAINT, SYSCTRL and SYSMON
groups defined in the database manager configuration.
DB2 security plug-in modules are available for
server-side authentication, client-side authentication and group lookup,
described later. Depending on your specific environment, you may need
to use one, two or all three types of plug-in.
To use DB2 security plug-in modules, follow these steps:
- Decide if you need server, client, or group plug-in modules, or
a combination of these modules.
- Configure the plug-in modules by setting values in the IBM LDAP
security plug-in configuration file (default name is IBMLDAPSecurity.ini).
You will need to consult with your LDAP administrator to determine
appropriate values.
- Enable the plug-in modules
- Test connecting with various LDAP User IDs.
Server authentication plugin
The server
authentication plug-in module performs server validation of user IDs
and passwords supplied by clients on CONNECT and ATTACH statements.
It also provides a way to map LDAP user IDs to DB2 authorization
IDs, if required. The server plug-in module is generally required
if you want users to authenticate to the DB2 database
manager using their LDAP user ID and password.
Client authentication plug-in
The client
authentication plug-in module is used where user ID and password validation
occurs on the client system; that is, where the DB2 server
is configured with SRVCON_AUTH or AUTHENTICATION settings of CLIENT.
The client validates any user IDs and passwords supplied on CONNECT
or ATTACH statements, and sends the user ID to the DB2 server.
Note that CLIENT authentication is difficult to secure, and not generally
recommended.
The client authentication plug-in module may also
be required if the local operating system user IDs on the database
server are different from the DB2 authorization IDs associated
with those users. You can use the client-side plugin to map local
operating system user IDs to DB2 authorization IDs prior to performing
authorization checks for local commands on the database server, such
as for:db2start.
Group lookup plug-in
The group lookup plug-in
module retrieves group membership information from the LDAP server
for a particular user. It is required if you want to use LDAP to store
your group definitions. The most common scenario is where:
- All users and groups are defined in the LDAP server
- Any users defined locally on the database server are also defined
with the same user ID on the LDAP server (including the instance owner
and the fenced user)
- Password validation occurs on the DB2 server
(that is, an AUTHENTICATION or SRVCON_AUTH value of SERVER, SERVER_ENCRYPT
or DATA_ENCRYPT is set in the server DBM config file).
It is generally sufficient to install only the server authentication
plug-in module and the group lookup plug-in module on the server. DB2 clients
typically do not need to have the LDAP plug-in module installed.
It
is possible to use only the LDAP group lookup plug-in module in combination
with some other form of authentication plug-in (such as Kerberos).
In this case, the LDAP group lookup plug-in module will be provided
the DB2 authorization IDs associated with a user.
The plug-in module searches the LDAP directory for a user with a matching
AUTHID_ATTRIBUTE, then retrieves the groups associated with that user
object.
Using DB2 LDAP
plugin modules for authentication and group look-up with the SSL option
(Linux, HP and Solaris)
The following
information applies only when you are using the DB2 LDAP
plugin modules for authentication and group look-up with the SSL option
on the Linux, HP and Solaris operating systems.
The
SSL option referred to here is the setting of the ENABLE_SSL attribute
to TRUE in the IBMLDAPSEcurity.ini configuration
file. This is a different procedure to configuring SSL for encrypting
data communication between the DB2 server
and a DB2 client.
If this section applies to
your situation, you need to follow the step, below, to be able to
use the SSL option with the DB2 LDAP plugin modules for authentication
and group look-up.
For Linux on
x64, Linux for IBM System z® 64, Linux PPC 64, HPUX IA 64, Solaris SPARC 64,
and Solaris x64 platforms, there are twelve GSKit Version 8 libraries
located in
DB2 install path/sqllib/lib64:
- libgsk8acmeidup_64.so
- libgsk8cms_64.so
- libgsk8dbfl_64.so
- libgsk8drld_64.so
- libgsk8iccs_64.so
- libgsk8kicc_64.so
- libgsk8km_64.so
- libgsk8ldap_64.so
- libgsk8p11_64.so
- libgsk8ssl_64.so
- libgsk8sys_64.so
- libgsk8valn_64.so
In the appropriate directory for your operating system,
/usr/lib on
HPUX IA 64,
/usr/lib/64 on Solaris SPARC 64 and
Solaris x64, or
/usr/lib64 on Linux on
x64, Linux for IBM system
z 64, and Linux PPC 64, as a user with root authority,
issue the
ln command to create symbolic links to
each of the above libraries. For example:
ln -s DB2 install path/sqllib/lib64/libgsk8acmeidup_64.so .
For Linux on
x86, there are twelve GSKit Version 8 libraries located in
DB2
install path/sqllib/lib:
- libgsk8acmeidup.so
- libgsk8cms.so
- libgsk8dbfl.so
- libgsk8drld.so
- libgsk8iccs.so
- libgsk8kicc.so
- libgsk8km.so
- libgsk8ldap.so
- libgsk8p11.so
- libgsk8ssl.so
- libgsk8sys.so
- libgsk8valn.so
In the directory
/usr/lib, as a
user with root authority issue the
ln command to
create symbolic links to each of the above libraries. For example:
ln -s DB2 install path/sqllib/lib32/libgsk8acmeidup.so .