DB2 and Transparent LDAP
Ok, so I know I’m in the middle of a multi-part post on Data Movement between Commerce databases (and I will get back to that), but I found this and had to share it because I’m so excited DB2 has finally added support for it.
As of DB2 9.7 FixPack 1, DB2 finally supports transparent LDAP on Unix and Linux! Previously you had to deal with plugins that were frequently pay-for-use or code-it-yourself (or just give up and keep separate OS-level ids for DB2). Now with just three steps, you can get DB2 to use PAM. Here’s the link to the info center:
The basic steps are:
- Have your Sysadmin set up LDAP at the OS level (or do it yourself). I generally recommend keeping the instance owner id as a system-level id, so that if your LDAP goes down, you can still do the basics (yes, even if you have highly redundant LDAP).
- Set the DB2 registry parameter, and then bounce your db2 instance to make it take effect
- Edit or create /etc/pam.d/db2 as appropriate for your OS(the info center gives some details on it). For RHEL, it looks like:
#%PAM-1.0 auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowremember=3 password sufficient /lib/security/$ISA/pam_ldap.so use_first_pass password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
And that’s really all there is to it. Keep in mind that older versions of DB2 do not support this (AIX only came in an earlier version), and that you should, of course, test this thoroughly to see both that it works and what happens when your LDAP server is down.