Setting up an OpenLDAP server

By default, Db2® Warehouse uses a self-contained OpenLDAP server for authentication and authorization. However, you can use an external OpenLDAP server instead.

1. Create LDAP entries for the following groups:

   bluadmin

   This is the group for Db2 Warehouse administrators. The value of its CN attribute (the full or common name) must be bluadmin.

   bluusers

   This is the group for Db2 Warehouse users. The value of its CN attribute must be bluusers.

   Note:

   • Both groups must have the same location, that is, with the exception of their CN attributes, the DNs of the two groups must be identical.
   • For each entry, specify objectclass: top and objectclass: posixGroup attributes.

   For example:

   • For the bluadmin group:

     dn: cn=bluadmin,ou=groups,dc=example,dc=com
     objectClass: top
     objectClass: posixGroup
     cn: bluadmin
     gidNumber: unique_bluadmin_group_ID

   • For the bluusers group:

     dn: cn=bluusers,ou=groups,dc=example,dc=com
     objectClass: top
     objectClass: posixGroup
     cn: bluusers
     gidNumber: unique_bluusers_group_ID

2. Create an LDAP entry for the bluadmin user, who must be part of the bluadmin group.
   For this entry, specify objectclass attributes of account, posixAccount, and top. For example:

   dn: uid=bluadmin,ou=users,dc=example,dc=com
   uid: bluadmin
   cn: bluadmin
   objectClass: account
   objectClass: posixAccount
   objectClass: top
   loginShell: /bin/bash
   uidNumber: unique_bluadmin_user_ID
   gidNumber: unique_bluadmin_group_ID
   
   gecos: bluadmin

3. Modify the bluadmin group so that it includes a set of memberuid attributes for the bluadmin user.
   For the first memberuid attribute, use the value of the bluadmin user's uid attribute. For the second memberuid attribute, use the value of the bluadmin user's dn attribute. For example:

   dn: cn=bluadmin,ou=groups,dc=example,dc=com
   changetype: modify
   add: memberuid
   memberuid: bluadmin 
   memberuid: uid=bluadmin,ou=users,dc=example,dc=com

4. Ensure that the host name of the external OpenLDAP server is resolvable from all nodes. For example, you can define the external OpenLDAP server in the /etc/hosts file on each node host. If you define the external OpenLDAP server by using this method, you must redeploy Db2 Warehouse.
5. Configure Db2 Warehouse to act as a client to an external OpenLDAP server. For the sample entries, the group base DN is ou=groups,dc=example,dc=com.
   • Use the web console:
     1. Click Settings > External User Management.
     2. Click External LDAP and specify external LDAP connection information.
   • From the head node, issue a configure_user_management command in Docker or Podman. For example:

     docker exec -it Db2wh configure_user_management --host myhost.example.com --port 389 --searcher-dn uid=searcher,ou=users,dc=example,dc=org --searcher-password searcherpass --client-store /mnt/clusterfs/scratch/client.p12 --client-store-password clientstorepass --ca-cert /mnt/clusterfs/scratch/ca.crt

     podman exec -it Db2wh configure_user_management --host myhost.example.com --port 389 --searcher-dn uid=searcher,ou=users,dc=example,dc=org --searcher-password searcherpass --client-store /mnt/clusterfs/scratch/client.p12 --client-store-password clientstorepass --ca-cert /mnt/clusterfs/scratch/ca.crt

     Note: If you specify a group base DN or user base DN:

     • The group base DN must be at the same location as (that is, must be in the same directory as) the bluadmin and bluusers groups.
     • The user base DN is the same DN that you specified for the bluadmin user in step 2, but without the uid=bluadmin attribute.

     You can use the --admin-group-name, --user-group-name, and --admin-user-name parameters to override the default names for the administrative group (default is bluadmin), user group (default is bluusers), and administrative user (default is bluadmin). For example, you might want to use different groups and users depending on whether your system is a production or test system. All other requirements for these groups and user remain unchanged.

6. If needed, create additional Db2 Warehouse administrators by adding them to the bluadmin group, and create additional Db2 Warehouse users by adding them to the bluusers group. Use the same sort of approach that you used for the bluadmin user in steps 2 and 3. The uid and uidNumbers attribute values of each administrator and user must be unique.