Using the GSS plug-in for LDAP authentication

You can use the GSS plug-in for authentication in your Db2uInstance custom resource starting in version 12.1.2.0.

By default, when LDAP is enabled, communication with the LDAP server is done through the System Security Services Daemon (SSSD). To use the GSS plug-in instead of SSSD, you must enable the GSS plug-in.

Note: The GSS plug-in is only supported for Db2uInstance custom resource and is not supported for Db2uCluster.

Enabling the GSS plug-in on a new deployment

To enable the GSS plug-in on a new deployment, complete the following steps:
Note: LDAP cannot be disabled when enabling the GSS plug-in.
  1. Add the following into the Db2uInstance yaml file:
    spec:
  advOpts:
    db2SecurityPlugin: cloud_gss_plugin

Enabling the GSS plug-in on an existing deployment

To enable the GSS plug-in on an existing deployment, complete the following steps:
  1. Run the following command to return your Db2uInstance name:
    oc get db2uinstance
  2. Open your Db2uInstance for editing:
    oc edit db2uinstance <db2u-name>
  3. Edit the Db2uInstance CR to enable the GSS plug-in:
    spec:
  advOpts:
    db2SecurityPlugin: cloud_gss_plugin
  4. Wait for the Db2uInstance to reach Ready state:
    oc get db2uinstance <db2u-name> --watch
  5. Restart the db2u-0 pod:
    oc delete pod c-<db2u-name>-db2u-0

Disabling the GSS plug-in

To disable the GSS plug-in, complete the following steps:
  1. Run the following command to return your Db2uInstance name:
    oc get db2uinstance
  2. Open your Db2uInstance for editing:
    oc edit db2uinstance <db2u-name>
  3. Edit the Db2uInstance CR to disable the GSS plugin:
    spec:
  advOpts:
    db2SecurityPlugin: "NULL"
  4. Wait for the Db2uInstance to reach Ready state:
    oc get db2uinstance <db2u-name> --watch
  5. Restart the db2u-0 pod:
    oc delete pod c-<db2u-name>-db2u-0