configure_user_management

As a user with host operating system root authority, issue the configure_user_management Docker or Podman command on the head node:

docker exec -it Db2wh configure_user_management 
[-h] [--host HOST]
[--port PORT]
[--searcher-dn SEARCHER_DN]
[--searcher-password SEARCHER_PASSWORD]
[--type {ldap,ad,ad-ldap}]
[--search-base-dn SEARCH_BASE_DN]
[--group-base-dn GROUP_BASE_DN]
[--group-member-attribute GROUP_MEMBER_ATTRIBUTE]
[--group-objectclass GROUP_OBJECTCLASS]
[--group-gid-attribute GROUP_GID_ATTRIBUTE]
[--user-membership-attribute USER_MEMBERSHIP_ATTRIBUTE]
[--user-base-dn USER_BASE_DN]
[--user-objectclass USER_OBJECTCLASS]
[--user-uid-attribute USER_UID_ATTRIBUTE]
[--user-gid-attribute USER_GID_ATTRIBUTE]
[--ssl-method {starttls,ldaps}]
[--client-store CLIENT_STORE]
[--client-store-password CLIENT_STORE_PASSWORD]
[--ca-cert CA_CERT]
[--realm-user REALM_USER]
[--realm-user-password REALM_USER_PASSWORD]
[--admin-group-name ADMIN_GROUP_NAME]
[--user-group-name USER_GROUP_NAME]
[--admin-user-name ADMIN_USER_NAME]
[--local]
[--login-attribute LOGIN_ATTRIBUTE]
[--ldap-schema {rfc2307,rfc2307bis,AD}]

podman exec -it Db2wh configure_user_management 
[-h] [--host HOST]
[--port PORT]
[--searcher-dn SEARCHER_DN]
[--searcher-password SEARCHER_PASSWORD]
[--type {ldap,ad,ad-ldap}]
[--search-base-dn SEARCH_BASE_DN]
[--group-base-dn GROUP_BASE_DN]
[--group-member-attribute GROUP_MEMBER_ATTRIBUTE]
[--group-objectclass GROUP_OBJECTCLASS]
[--group-gid-attribute GROUP_GID_ATTRIBUTE]
[--user-membership-attribute USER_MEMBERSHIP_ATTRIBUTE]
[--user-base-dn USER_BASE_DN]
[--user-objectclass USER_OBJECTCLASS]
[--user-uid-attribute USER_UID_ATTRIBUTE]
[--user-gid-attribute USER_GID_ATTRIBUTE]
[--ssl-method {starttls,ldaps}]
[--client-store CLIENT_STORE]
[--client-store-password CLIENT_STORE_PASSWORD]
[--ca-cert CA_CERT]
[--realm-user REALM_USER]
[--realm-user-password REALM_USER_PASSWORD]
[--admin-group-name ADMIN_GROUP_NAME]
[--user-group-name USER_GROUP_NAME]
[--admin-user-name ADMIN_USER_NAME]
[--local]
[--login-attribute LOGIN_ATTRIBUTE]
[--ldap-schema {rfc2307,rfc2307bis,AD}]

-h|--help

Displays help for the command.

--host hostname

The fully qualified domain name (FQDN) of the LDAP or Active Directory domain controller. Ensure that you define this domain controller in the /etc/hosts file.

--port portnumber

The port number of the LDAP server or the LDAP port of the Active Directory server.

--searcher-dn searcher_dn

The distinguished name (DN) to be used during a search for users and groups. For example:

uid=my_searcher,ou=users,dc=example,dc=com

--searcher-password searcher_password

The password for the searcher DN.

--type {ldap|ad|ad-ldap}

The type of server:

ldap

That an external LDAP server will be used. This is the default.

ad

A Microsoft Active Directory server will be used. Each node joins the Active Directory domain.

ad-ldap

A Microsoft Active Directory server will be used, but it will operate as an external LDAP server. The nodes are not joined to the Active Directory domain, and they act as LDAP clients.

--search-base-dn SEARCH_BASE_DN

The DN to be used as a base in discovering values for --group- base-dn and --user-base-dn

--group-base-dn group_base_dn

The group base DN for the bluadmin and bluusers groups. For example:

ou=groups,dc=example,dc=com

If you do not specify this parameter, the command attempts to determine the group base DN, based on the location of the bluadmin group.

--group-member-attribute GROUP_MEMBER_ATTRIBUTE

The attribute that contains the user IDs or DNs of the members of the group. For LDAP, the default is memberUid. For AD, the default is member.

--group-objectclass GROUP_OBJECTCLASS

The value of the objectClass attribute that denotes a group. The value is discovered based on the objectClass of the admin group with the following priority: posixGroup, group, groupOfNames.

--group-gid-attribute GROUP_GID_ATTRIBUTE

The attribute that contains the gid number for the group. For LDAP, the default is gidNumber. For AD, the default is N/A.

--user-membership-attribute USER_MEMBERSHIP_ATTRIBUTE

The attribute that contains groups of which a user is a member. For LDAP, the default is none. For AD, the default is memberOf.

--user-base-dn user_base_dn

The DN that is to be used as a base in finding Db2 Warehouse users. For example:

ou=users,dc=example,dc=com

If you do not specify this parameter, the command attempts to determine the user base DN, based on the location of the bluadmin user which might be too specific and might exclude some users.

--user-objectclass USER_OBJECTCLASS

The value of the objectClass that denotes a user. The value is discovered based on the objectClass of the admin user with the following priority: posixAccount, user, person, inetOrgPerson.

--user-uid-attribute USER_UID_ATTRIBUTE

The attribute that contains the uid number for the user. For LDAP, the default is uidNumber. For AD, the default is N/A.

--user-gid-attribute USER_GID_ATTRIBUTE

The attribute that contains the primary gid number for the user. For LDAP, the default is gidNumber. For AD, the default is N/A.

--ssl-method {starttls|ldaps}

The SSL method:

starttls

The StartTLS method. This is the default.

ldaps

The LDAP over SSL (LDAPS) method.

--client-store client_store

The path to a PKCS #12 file that contains the client certificate and private key. The file must be in the /mnt/clusterfs/scratch directory. If you specify a nickname with the -name parameter when you create the certificate, specify the same nickname as the value for the --host parameter of the configure_user_management command. The --client-store client_store parameter does not apply if the value of the --type parameter is ad.

--client-store-password client_store_password

The password for the PKCS #12 file. The --client-store-password client_store_password parameter does not apply if the value of the --type parameter is ad.

--ca-cert ca_certificate

The path to the certificate authority (CA) certificate of the PKCS #12 file. The CA certificate must be an X.509 certificate for either the LDAP server itself or the CA that signed the server's certificate. The --ca-cert ca_certificate parameter does not apply if the value of the --type parameter is ad.

--realm-user user

The realm user. The default is Administrator.

--realm-user-password password

The password for the realm user. This parameter is required if the value of the --type parameter is ad.

--admin-group-name {bluadmin|ag_name}

The name of the group of administrators that is to be used.

--user-group-name {bluusers|ug_name}

The name of the group of regular users that is to be used.

--admin-user-name {bluadmin|au_name}

The name of the administrator that is to be used.

--local

Specifies that Db2 Warehouse uses the self-contained LDAP server. By default, Db2 Warehouse uses this server.

--login-attribute LOGIN_ATTRIBUTE

The attribute that contains the user ID for the user. For LDAP, the default is uid. For AD, the default is sAMAccountName.

--ldap-schema {rfc2307,rfc2307bis,AD}

LDAP schema in use on the server. For LDAP, the default is rfc2307. For AD, the default is AD.

The following rules also apply:

• The --host, --port, --searcher-dn, and --searcher-password parameters are mandatory if you do not specify the --local parameter.
• If you specify the --local parameter, any other parameters that you specify are ignored.
• You must specify either all of the --client-store, --client-store-password, and --ca-cert parameters or none of them. If you do not specify any of them, you must configure your LDAP server to accept TLS connections that do not send certificates. That is, you must set the olcTLSVerifyClient option to a value other than demand.

For example:

configure_user_management --type ad --host AdServer.fyre.ibm.com --port 389 
–-realm-user-password 'AdminPassword123!@#' --searcher-base-dn CN=db2whsearcher,CN=Users,DC=fyre,DC=ibm,DC=com 
--searcher-password 'searcherPassword123!@#'