DB2 and Transparent LDAP

Ok, so I know I’m in the middle of a multi-part post on Data Movement between Commerce databases (and I will get back to that), but I found this and had to share it because I’m so excited DB2 has finally added support for it.

As of DB2 9.7 FixPack 1, DB2 finally supports transparent LDAP on Unix and Linux! Previously you had to deal with plugins that were frequently pay-for-use or code-it-yourself (or just give up and keep separate OS-level ids for DB2). Now with just three steps, you can get DB2 to use PAM. Here’s the link to the info center:


The basic steps are:

  1. Have your Sysadmin set up LDAP at the OS level (or do it yourself). I generally recommend keeping the instance owner id as a system-level id, so that if your LDAP goes down, you can still do the basics (yes, even if you have highly redundant LDAP).
  2. Set the DB2 registry parameter, and then bounce your db2 instance to make it take effect
  3. db2set DB2AUTH=OSAUTHDB
  4. Edit or create /etc/pam.d/db2 as appropriate for your OS(the info center gives some details on it). For RHEL, it looks like:
  5. #%PAM-1.0 
    auth    required    /lib/security/$ISA/pam_env.so
    auth    sufficient  /lib/security/$ISA/pam_unix.so likeauth nullok
    auth    sufficient  /lib/security/$ISA/pam_ldap.so use_first_pass
    auth    required    /lib/security/$ISA/pam_deny.so 
    account  required   /lib/security/$ISA/pam_unix.so
    account  sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account  sufficient /lib/security/$ISA/pam_ldap.so 
    account  required   /lib/security/$ISA/pam_permit.so 
    password requisite  /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 ucredit=-1
    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowremember=3
    password sufficient /lib/security/$ISA/pam_ldap.so  use_first_pass
    password required   /lib/security/$ISA/pam_deny.so 
    session  required   /lib/security/$ISA/pam_limits.so
    session  required   /lib/security/$ISA/pam_unix.so

    And that’s really all there is to it. Keep in mind that older versions of DB2 do not support this (AIX only came in an earlier version), and that you should, of course, test this thoroughly to see both that it works and what happens when your LDAP server is down.

You may also like...

1 Response

  1. October 13, 2014

    […] “db2:auth”, “pam_sm_authenticate”. Google search lead me to Ember Crook’s blog post on DB2 and Transparent LDAP. That is where I read about the file […]

Leave a Reply

Your email address will not be published. Required fields are marked *