Connecting with an LDAP user ID

After the LDAP security plug-ins have been configured in a Db2® instance, a user can connect to the databases using a variety of different user strings.

The location of an object within an LDAP directory is defined by its distinguished name (DN). A DN is typically a multi-part name that reflects some sort of hierarchy, for example:
cn=John Smith, ou=Sales, o=WidgetCorp

A user's user ID is defined by an attribute associated with the user object (typically the uid attribute). It may be a simple string (such as jsmith), or look like an email address (such as, that reflects part of the organizational hierarchy.

A user's Db2 authorization ID is the name associated with that user within the Db2 database.

In the past, users were typically defined in the server's host operating system, and the user ID and authorization ID were the same (though the authorization ID is usually in uppercase). The Db2 LDAP plug-in modules give you the ability to associate different attributes of the LDAP user object with the user ID and the authorization ID. In most cases, the user ID and authorization ID can be the same string, and you can use the same attribute name for both the USERID_ATTRIBUTE and the AUTHID_ATTRIBUTE. However, if in your environment the user ID attribute typically contains extra information that you do not want to carry over to the authorization ID, you can configure a different AUTHID_ATTRIBUTE in the plug-in initialization file. The value of the AUTHID_ATTRIBUTE attribute is retrieved from the server and used as the internal Db2 representation of the user.

For example, if your LDAP user IDs look like email addresses (such as, but you would rather use just the user portion (jsmith) as the Db2 authorization ID, then you can:
  1. Associate a new attribute containing the shorter name with all user objects on your LDAP server
  2. Configure the AUTHID_ATTRIBUTE with the name of this new attribute
Users are then able to connect to a Db2 database by specifying their full LDAP user ID and password, for example:
db2 connect to MYDB user '' using 'pswd'
But internally, the Db2 database manager refers to the user using the short name retrieved using the AUTHID_ATTRIBUTE (jsmith in this case).
After an LDAP plug-in module has been enabled and configured, a user can connect to a Db2 database using a variety of different strings:
  • A full DN. For example:
    connect to MYDB user 'cn=John Smith, ou=Sales, o=WidgetCorp'
  • A partial DN, provided that a search of the LDAP directory using the partial DN and the appropriate search base DN (if defined) results in exactly one match. For example:
    connect to MYDB user 'cn=John Smith' connect to MYDB user uid=jsmith
  • A simple string (containing no equals signs). The string is qualified with the USERID_ATTRIBUTE and treated as a partial DN. For example:
    connect to MYDB user jsmith 
Note: Any string supplied on a CONNECT statement or ATTACH command must be delimited with single quotation marks if it contains spaces or special characters.
You must configure the CLNT_PW_PLUGIN and GROUP_PLUGIN parameters on the Db2 client if you want to use full or partial DNs:
update dbm cfg using CLNT_PW_PLUGIN IBMLDAPauthclient
update dbm cfg using GROUP_PLUGIN IBMLDAPgroups
You must also update the LDAP plug-in configuration file, IBMLDAPSecurityt.ini.