configure_ldap

By default, Db2® Warehouse uses a self-contained LDAP server for authentication and authorization. Use this command if you want to configure Db2 Warehouse to use an external LDAP server instead.

As an alternative to this command, you can use the Settings > External LDAP option in the web console. Regardless of which method you use, additional setup steps are required before and after you configure the external LDAP server. These steps are described in Setting up an OpenLDAP server.

As a user with host operating system root authority, issue the following Docker or Podman command on the head node:

docker exec -it Db2wh configure_ldap 
{--host hostname --port portnumber --group-base-dn group_base_dn
--user-base-dn user_base_dn --searcher-dn searcher_dn
--searcher-password searcher_password --ssl-method {starttls|ldaps}
--client-store client_store --client-store-password client_store_password
--ca-cert ca_certificate [--local]}|-h|--help

podman exec -it Db2wh configure_ldap 
{--host hostname --port portnumber --group-base-dn group_base_dn
--user-base-dn user_base_dn --searcher-dn searcher_dn
--searcher-password searcher_password --ssl-method {starttls|ldaps}
--client-store client_store --client-store-password client_store_password
--ca-cert ca_certificate [--local]}|-h|--help

--host hostname

Specifies the fully qualified domain name (FQDN) of the LDAP server. Ensure that you define this server in the /etc/hosts file.

--port portnumber

Specifies the port number of the LDAP server.

--group-base-dn group_base_dn

Specifies the group base distinguished name (DN) for the bluadmin and bluusers groups, for example:

ou=groups,dc=example,dc=com

--user-base-dn user_base_dn

Specifies the user base DN for the Db2 Warehouse users, for example:

ou=users,dc=example,dc=com

--searcher-dn searcher_dn

Specifies the DN to use while searching for users and groups, for example:

uid=my_searcher,ou=users,dc=example,dc=com

--searcher-password searcher_password

Specifies the password for the searcher DN.

--ssl-method {starttls|ldaps}

Specifies the SSL method:

starttls: Specifies the StartTLS method. This is the default.
ldaps: Specifies the LDAP over SSL (LDAPS) method.

--client-store client_store

Specifies the path to a PKCS #12 file that contains the client certificate and private key. The file must be in the /mnt/clusterfs/scratch directory. If you specify a nickname with the -name parameter when creating the certificate, specify the same nickname as the value for the --host parameter of the configure_ldap command.

--client-store-password client_store_password

Specifies the password for the PKCS #12 file.

--ca-cert ca_certificate: Specifies the path to the certificate authority (CA) certificate of the PKCS #12 file. The CA certificate must be an X.509 certificate for either the LDAP server itself or the CA that signed the server's certificate.
--local: Specifies that Db2 Warehouse uses the self-contained LDAP server. By default, Db2 Warehouse uses this server.
-h|--help: Displays help for the command.

The following rules also apply:

The --host, --port, --group-base-dn, --user-base-dn, --searcher-dn, and --searcher-password parameters are mandatory if you do not specify the --local parameter.
If you specify the --local parameter, any other parameters that you specify are ignored.
You must specify either all of the --client-store, --client-store-password, and --ca-cert parameters or none of them. If you do not specify any of them, you must configure your LDAP server to accept TLS connections that do not send certificates. That is, you must set the olcTLSVerifyClient option to a value other than demand.