DB2 and Transparent LDAP

You may also like...

6 Responses

  1. Erwin Hattingh says:

    TIP (and Question) : How to use the newer sssd instead of pam-ldap ?
    When setting up Transparent LDAP authentication for DB2 on RHEL 6.x or 7.x using sssd instead of pam_ldap.
    Create the file “/etc/pam.d/db2” according to the IBM directions, but change the pam_ldap lines to pam_sss:
    Tested with DB2 11.1.2.2 on RedHat 7.3 server, a domain member of RedHat’s “IdM”
    (Identity Management, LDAP server – incl DC , DNS, NTP services ).

    One note said though: On Linux level, both domain Users and domain Groups are working.
    For DB2 on this server, so far, sadly only domain Users …..
    (and yes, our ” nsswitch.conf” file in “/etc/” also has ‘files sss’ instead of ‘files ldap’ )
    Somehow DB2 does not accept using domain Groups.
    Anyone an idea ?

  2. Erwin Hattingh says:

    From a point-of-view “is SSSD (System Security Services Daemon) supported or not” :
    The Knowledge Center mentions:
    “DB2 supports PAM configurations that use pam_ldap.so, pam_unix.so, and pam_unix2.so. Configurations that use other PAM modules might work, but are not supported” ….
    (see https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0056291.html )
    However , Technote swg21976128 mentions:
    “SSSD is supported via Transparent LDAP on Linux”
    (see http://www-01.ibm.com/support/docview.wss?uid=swg21976128 )

    Sadly, so far (at least for us), DB2:
    accepts “grant … to user @” (DB2 knows “@” is in fact a special character; the domain is the remainder part)
    does not (properly) accept “grant ….. to group @” ; (DB2 treats it as full string, isn’t aware the “@” should be treated as special character for the domain)

  3. Erwin Hattingh says:

    (correction to previous comment)
    so far (at least for us), DB2:
    accepts “grant … to user username@domainname” (DB2 knows “@” is in fact a special character; the domain is the remainder part)
    does not (properly) accept “grant ….. to group groupname@domainname” ; (DB2 treats it as full string, isn’t aware the “@” should be treated as special character for the domain)

  4. Isaac Munoz says:

    Hi Ember thanks for your post. I am trying to setup LDAP using plug-ins (not transparent ldap) however IBM KC does not give much information about how to configure the users/groups. It says even the db2 instance userid and all groups need to be defined on LDAP server. Does this mean they must not be defined in the unix server?. So how do you assign ownership of all the filesystems the database is going to use. I haven’t found real good documentation so I was wondering if you are aware of such. Thanks very much

    • Ember Crooks says:

      I have never used the plugins for precisely this reason. All IDs must be defined at the LDAP level. This means that if LDAP is not available, Db2 is essentially down. I don’t have details on how to use this method. I thought there were some white papers out there on it.

  1. October 13, 2014

    […] “db2:auth”, “pam_sm_authenticate”. Google search lead me to Ember Crook’s blog post on DB2 and Transparent LDAP. That is where I read about the file […]

Leave a Reply

Your email address will not be published. Required fields are marked *