Connecting with an LDAP user ID
After the LDAP security plug-ins have been configured in a Db2® instance, a user can connect to the databases using a variety of different user strings.
cn=John Smith, ou=Sales, o=WidgetCorp
A user's user ID is defined by an attribute associated with the user object (typically the uid attribute). It may be a simple string (such as jsmith), or look like an email address (such as jsmith@sales.widgetcorp.com), that reflects part of the organizational hierarchy.
A user's Db2 authorization ID is the name associated with that user within the Db2 database.
In the past, users were typically defined in the server's host operating system, and the user ID and authorization ID were the same (though the authorization ID is usually in uppercase). The Db2 LDAP plug-in modules give you the ability to associate different attributes of the LDAP user object with the user ID and the authorization ID. In most cases, the user ID and authorization ID can be the same string, and you can use the same attribute name for both the USERID_ATTRIBUTE and the AUTHID_ATTRIBUTE. However, if in your environment the user ID attribute typically contains extra information that you do not want to carry over to the authorization ID, you can configure a different AUTHID_ATTRIBUTE in the plug-in initialization file. The value of the AUTHID_ATTRIBUTE attribute is retrieved from the server and used as the internal Db2 representation of the user.
- Associate a new attribute containing the shorter name with all user objects on your LDAP server
- Configure the AUTHID_ATTRIBUTE with the name of this new attribute
db2 connect to MYDB user 'jsmith@sales.widgetcorp.com' using 'pswd'
But
internally, the Db2 database manager
refers to the user using the short name retrieved using the AUTHID_ATTRIBUTE (jsmith in this
case).- A full DN. For example:
connect to MYDB user 'cn=John Smith, ou=Sales, o=WidgetCorp'
- A partial DN, provided that a search of the LDAP directory using the partial DN and the
appropriate search base DN (if defined) results in exactly one match. For example:
connect to MYDB user 'cn=John Smith' connect to MYDB user uid=jsmith
- A simple string (containing no equals signs). The string is qualified with the USERID_ATTRIBUTE
and treated as a partial DN. For example:
connect to MYDB user jsmith
update dbm cfg using CLNT_PW_PLUGIN IBMLDAPauthclient
update dbm cfg using GROUP_PLUGIN IBMLDAPgroups
You must also update the LDAP plug-in configuration file,
IBMLDAPSecurityt.ini.