configure_user_management

This command configures products that use the Db2U engine to use an external LDAP server or Microsoft Active Directory server for user management (authentication and authorization). By default, Db2U uses a self-contained LDAP server for user management.

If you want to use an external LDAP server, an alternative to the configure_user_management command is the Settings > External LDAP option in the OpenShift®console.

Regardless of whether you use the configure_user_management command or Settings > External LDAP option, you must do some extra setup. See either Setting up an OpenLDAP server or Setting up a Microsoft Active Directory server. As a user with host operating system root authority, issue the configure_user_management Docker on the head node:

oc exec -it $<db2u pod name> -- bash 
/db2u/src/lib/user_management/configure_user_management.py 
[-h] [--host HOST]
[--port PORT]
[--searcher-dn SEARCHER_DN]
[--searcher-password SEARCHER_PASSWORD]
[--type {ad-ldap}]
[--search-base-dn SEARCH_BASE_DN]
[--group-base-dn GROUP_BASE_DN]
[--group-member-attribute GROUP_MEMBER_ATTRIBUTE]
[--group-objectclass GROUP_OBJECTCLASS]
[--group-gid-attribute GROUP_GID_ATTRIBUTE]
[--user-membership-attribute USER_MEMBERSHIP_ATTRIBUTE]
[--user-base-dn USER_BASE_DN]
[--user-objectclass USER_OBJECTCLASS]
[--user-uid-attribute USER_UID_ATTRIBUTE]
[--user-gid-attribute USER_GID_ATTRIBUTE]
[--ssl-method {starttls,ldaps}]
[--admin-group-name ADMIN_GROUP_NAME]
[--user-group-name USER_GROUP_NAME]
[--admin-user-name ADMIN_USER_NAME]
[--local]
[--login-attribute LOGIN_ATTRIBUTE]
[--ldap-schema {rfc2307,rfc2307bis,AD}]

Command reference

-h|--help

Displays help for the command.

--host hostname

The fully qualified domain name (FQDN) of the LDAP or Active Directory domain controller. Ensure that you define this domain controller in the /etc/hosts file.

--port portnumber

The port number of the LDAP server or the LDAP port of the Active Directory server.

--searcher-dn searcher_dn

The distinguished name (DN) to be used during a search for users and groups. For example:

uid=my_searcher,ou=users,dc=example,dc=com

--searcher-password searcher_password

The password for the searcher DN.

--type {ldap|ad-ldap}

The type of server:

ldap: That an external LDAP server will be used. This is the default.

ad-ldap: A Microsoft Active Directory server will be used, but it will operate as an external LDAP server. The nodes are not joined to the Active Directory domain, and they act as LDAP clients.

--search-base-dn SEARCH_BASE_DN

The DN to be used as a base in discovering values for --group- base-dn and --user-base-dn

--group-base-dn group_base_dn

The group base DN for the bluadmin and bluusers groups. For example:

ou=groups,dc=example,dc=com

If you do not specify this parameter, the command attempts to determine the group base DN, based on the location of the bluadmin group.

--group-member-attribute GROUP_MEMBER_ATTRIBUTE

The attribute that contains the user IDs or DNs of the members of the group. For LDAP, the default is memberUid.

--group-objectclass GROUP_OBJECTCLASS

The value of the objectClass attribute that denotes a group. The value is discovered based on the objectClass of the admin group with the following priority: posixGroup, group, groupOfNames.

--group-gid-attribute GROUP_GID_ATTRIBUTE

The attribute that contains the gid number for the group. For LDAP, the default is gidNumber.

--user-membership-attribute USER_MEMBERSHIP_ATTRIBUTE

The attribute that contains groups of which a user is a member. For LDAP, the default is none.

--user-base-dn user_base_dn

The DN that is to be used as a base in finding Db2 Warehouse users. For example:

ou=users,dc=example,dc=com

If you do not specify this parameter, the command attempts to determine the user base DN, based on the location of the bluadmin user which might be too specific and might exclude some users.

--user-objectclass USER_OBJECTCLASS

The value of the objectClass that denotes a user. The value is discovered based on the objectClass of the admin user with the following priority: posixAccount, user, person, inetOrgPerson.

--user-uid-attribute USER_UID_ATTRIBUTE

The attribute that contains the uid number for the user. For LDAP, the default is uidNumber.

--user-gid-attribute USER_GID_ATTRIBUTE

The attribute that contains the primary gid number for the user. For LDAP, the default is gidNumber.

--ssl-method {starttls|ldaps}

The SSL method:

starttls: The StartTLS method. This is the default.
ldaps: The LDAP over SSL (LDAPS) method.

--admin-group-name {bluadmin|ag_name}

The name of the group of administrators that is to be used.

--user-group-name {bluusers|ug_name}

The name of the group of regular users that is to be used.

--admin-user-name {bluadmin|au_name}

The name of the administrator that is to be used.

--local

Specifies that Db2 Warehouse uses the self-contained LDAP server. By default, Db2 Warehouse uses this server.

--login-attribute LOGIN_ATTRIBUTE

The attribute that contains the user ID for the user. For LDAP, the default is uid.

--ldap-schema {rfc2307,rfc2307bis,AD}

LDAP schema in use on the server. For LDAP, the default is rfc2307.

The following rules also apply:

The --host, --port, --searcher-dn, and --searcher-password parameters are mandatory if you do not specify the --local parameter.
If you specify the --local parameter, any other parameters that you specify are ignored.

The following example shows the command syntax for running the configure_user_management command:

oc exec -it $<db2u pod name> -- bash 
/db2u/src/lib/user_management/configure_user_management.py --host Ad.fyre.ibm.com --port 389 --searcher-dn cn= db2whsearcher,cn=users,dc=fyre,dc=ibm,dc=com --searcher-password 'searcherPassword' --type ad-ldap