Configure LDAP User Information
Some entries in LDAP server can be introduced into IBM Db2 Data Management Console as console users. They must store a user password along with them and must be able to bind the LDAP server with their DN and password. Most common object classes which may hold by these entries are 'person', 'organizationalPerson', 'inetOrgPerson' and 'posixAccount'. Customized user schemas should satisfy the previous requirements.
User base DN:
All user entries in LDAP should be located under a single base entry named user base entry here. In another word, each user entry would be a leaf node of a sub-directory whose root is the user base entry. (That means the last parts of DN of any user entry is just the same with the DN of user base entry.) The full DN value of user base entry should be provided here. Partial DN or RDN is not supported, although maybe a default search base rule is configured at LDAP server side, for example, 'olcDefaultSearchBase' in OpenLDAP.
Only one user base DN is required and multiple user base entries are not supported.
Please refer to task 'Requirements of LDAP DN Value' to check the restrictions on LDAP DN in IBM Db2 Data Management Console.
User login attribute type:
In IBM Db2 Data Management Console, console user accounts are identified by their user IDs. When delegating authentication to LDAP server, one of the attributes of an LDAP user entry should be selected as console user ID which would be used in console to represent the user's identity and to log in console.
The value of field 'user login attribute type' is the type ( or called attribute description) of the chosen attribute. Not all attributes of a user entry could be chosen as console login user ID. The values of this attribute must be unique values under the user base entry. This attribute should be able to used in a search filter which means it should have a equality matching rule in its schema. All user entries should contain this attribute type and have and only have one value of this attribute. If this attribute is the RDN type of user entries, it must be stored in the user entry as an attribute explicitly. Complex RDN which is composed with multiple attributes can not be used as login user ID as a whole.
Whether values of this attribute, in another word the console user IDs, are case sensitive, depends on the equality matching rule of this attribute, please be careful when loggin in console. Using attributes which are case insensitive as login user ID is extremely recommended. Most common attribute types which would be used as login user ID are like cn, mail, uid, userid, employeeNumber, uidNumber, etc.