LDAP-based authentication and group lookup support
The Db2® database manager and Db2 Connect support LDAP-based authentication and group lookup functionality through the use of LDAP security plug-in modules and also through transparent LDAP
Another option for implementing LDAP-based authentication is through the use of LDAP security plug-ins. LDAP security plug-in modules allow the Db2 database manager to authenticate users defined in an LDAP directory, removing the requirement that users and groups be defined to the operating system at the same version levels that the Db2 product supports.
The LDAP security plugins support any RFC2307 compliant LDAP server.
Db2 security plug-in modules are available for server-side authentication, client-side authentication and group lookup, described later. Depending on your specific environment, you may need to use one, two or all three types of plug-in.
- Decide if you need server, client, or group plug-in modules, or a combination of these modules.
- Configure the plug-in modules by setting values in the IBM® LDAP security plug-in configuration file (default name is IBMLDAPSecurity.ini). You will need to consult with your LDAP administrator to determine appropriate values.
- Enable the plug-in modules
- Test connecting with various LDAP User IDs.
Server authentication plug-in
The server authentication plug-in module performs server validation of user IDs and passwords supplied by clients on CONNECT and ATTACH statements. It also provides a way to map LDAP user IDs to Db2 authorization IDs, if required. The server plug-in module is generally required if you want users to authenticate to the Db2 database manager using their LDAP user ID and password.
Client authentication plug-in
The client authentication plug-in module is used where user ID and password validation occurs on the client system; that is, where the Db2 server is configured with SRVCON_AUTH or AUTHENTICATION settings of CLIENT. The client validates any user IDs and passwords supplied on CONNECT or ATTACH statements, and sends the user ID to the Db2 server. Note that CLIENT authentication is difficult to secure, and not generally recommended.
The client authentication plug-in module may also be required if the local operating system user
IDs on the database server are different from the Db2 authorization IDs
associated with those users. You can use the client-side plugin to map local operating system user
IDs to Db2
authorization IDs before performing authorization checks for local commands on the database server,
such as for:
Group lookup plug-in
- All users and groups are defined in the LDAP server
- Any users defined locally on the database server are also defined with the same user ID on the LDAP server (including the instance owner and the fenced user)
- Password validation occurs on the Db2 server (that is, an AUTHENTICATION or SRVCON_AUTH value of SERVER or SERVER_ENCRYPT is set in the server DBM config file).
It is possible to use only the LDAP group lookup plug-in module in combination with some other form of authentication plug-in (such as Kerberos). In this case, the LDAP group lookup plug-in module will be provided the Db2 authorization IDs associated with a user. The plug-in module searches the LDAP directory for a user with a matching AUTHID_ATTRIBUTE, then retrieves the groups associated with that user object.