Setting up a Microsoft Active Directory server

By default, Db2® Warehouse uses a self-contained LDAP server for authentication and authorization. However, you can use an external Microsoft Active Directory server instead.

Before you begin

If you want each node to join the Active Directory domain, which makes it easier for you to audit activity, perform the following preliminary steps. If you want each node to instead act solely as an LDAP client, skip these steps.
  1. Create an Active Directory computer account for each Db2 Warehouse node.
  2. Create a user to manage these accounts.
  3. Grant this user the following permissions for each account:
    • Reset password
    • Write DNS host name attributes
    • Write msDS-SupportedEncryptionTypes
    • Write Operating System
    • Write Operating System Version
    • Write operatingSystemServicePack
    • Write servicePrincipalName
    • Write userAccountControl
    • Write userPrincipalName

Procedure

  1. Create the following groups:
    bluadmin
    This is the group for Db2 Warehouse administrators. The value of its CN attribute (the full or common name) must be bluadmin.
    bluusers
    This is the group for Db2 Warehouse users. The value of its CN attribute must be bluusers.
    Note:
    • Both groups must have the same location, that is, with the exception of their CN attributes, the DNs of the two groups must be identical.
    • For each group, the value of its SamAccountName attribute can be anything other than bluadmin, which is reserved for the bluadmin user. For example, set the SamAccountName attributes for the two groups to bluadmin-group and bluusers-group.
  2. Create the bluadmin user, who must be a member of the bluadmin group.
    For the bluadmin user, specify at least the CN and SamAccountName attributes; set both of these attributes to bluadmin.
  3. Ensure that the host name of the Active Directory domain controller is resolvable from all nodes. For example, you can define the Active Directory domain controller in the /etc/hosts file on each node host. If you define the Active Directory domain controller by using this method, you must redeploy Db2 Warehouse.
    Note: If you want to use Microsoft Active Directory for user management on Integrated Analytics System 1.0.30.0 or later, make sure that the AD DNS server has the correct SRV records configured for the Kerberos realm's DNS domain. . Example of an SRV record to add:
    _kerberos._tcp.[domain]. 3600 IN SRV 0 100 88 [kdc-hostname]
    • _kerberos._tcp.[domain]: The service name for Kerberos over TCP in the target domain (for example, the DNS domain tied to your Kerberos realm).
    • 3600: TTL (Time to Live) in seconds (1 hour; adjustable as needed).
    • IN SRV: Indicates this is an SRV (Service) record.
    • 0: Priority—sets the preference order if multiple SRV records exist (lower = higher priority; 0 is highest).
    • 100: Weight—balances load among same-priority records (arbitrary for a single KDC; typically 100).
    • 88: Port where the KDC listens (Kerberos standard).
    • [kdc-hostname]: The fully qualified hostname of the KDC (must resolve to it's IP via an A record).
  4. Configure the Db2 Warehouse nodes to act as clients of an Active Directory server:
    • Use the web console:
      1. Click Settings > External User Management.
      2. Click External AD and specify Active Directory connection information. If you want each node to join the Active Directory domain, click Join AD domain and enter an administrator user ID and an administrator password. If you want each node to act solely as an LDAP client, click LDAP only and do not enter an administrator user ID or administrator password.
    Note: If you specify a group base DN or user base DN:
    • The group base DN must be at the same location as (that is, must be in the same directory as) the bluadmin and bluusers groups.
    • The user base DN is the same DN that you specified for the bluadmin user, but without the CN attribute.
    Note: If you select the Db2 Warehouse and platform option and any SSL method, obtain the CA-Certificate from your Active Directory server that is used by the appliance to encrypt connection with the server. CA certificates must have the *.pem extension.

    You can use the --admin-group-name, --user-group-name, and --admin-user-name parameters to override the default names for the administrative group (default is bluadmin), user group (default is bluusers), and administrative user (default is bluadmin). For example, you might want to use different groups and users depending on whether your system is a production or test system. All other requirements for these groups and user remain unchanged.

    Note: If you face any database connection issues on the web console after switching to an external server for user management, run the following command as root user in the dashDB container on node 0101:
    chown -R db2iadm1 /scratch/home/bluadmin
  5. If needed, create additional Db2 Warehouse administrators by adding them to the bluadmin group, and create additional Db2 Warehouse users by adding them to the bluusers group. Use the same sort of approach that you used for creating the bluadmin user in step 2. The SamAccountName of each administrator and user must be unique. The values of the CN and SamAccountName attributes that you specify for a particular administrator or user do not need to match.