CATALOG LDAP DATABASE command

The CATALOG LDAP DATABASE command registers the database in Lightweight Directory Access Protocol (LDAP).

Important: The SERVER_ENCRYPT and SERVER_ENCRYPT_AES authentication types are deprecated and disabled in strict FIPS mode. For more information on the deprecation, see Authentication methods for your server.

Authorization

None

Required connection

None

Command syntax

Read syntax diagramSkip visual syntax diagramCATALOG LDAPDATABASEDBdatabase-nameASaliasAT NODEnodenameGWNODEgateway-nodePARMS"parameter-string"ARlibrary-nameAUTHENTICATIONSERVERCLIENTSERVER_ENCRYPTSERVER_ENCRYPT_AESKERBEROS TARGET PRINCIPALprincipalnameDATA_ENCRYPTGSSPLUGINTOKEN1WITH"comments"USERusernamePASSWORDpassword
Notes:
  • 1 This option is available starting from Db2® version 11.5.4.

Command parameters

DATABASE database-name
Specifies the name of the database to catalog.
AS alias
Specifies an alias as an alternate name for the database being cataloged. If an alias is not specified, the database name is used as the alias.
AT NODE nodename
Specifies the LDAP node name for the database server on which the database resides. This parameter must be specified when registering a database on a remote server.
GWNODE gateway-node
Specifies the LDAP node name for the gateway server.
PARMS "parameter-string"
Specifies a parameter string that is passed to the Application Requester (AR) when accessing DCS databases. The change password sym_dest_name should not be specified in the parameter string. Use the keyword CHGPWDLU to specify the change password LU name when registering the Db2 server in LDAP.
AR library-name
Specifies the name of the Application Requester library that is loaded and used to access a remote database listed in the DCS directory.

If using the Db2 Connect AR, do not specify a library name. The default value will cause Db2 Connect to be invoked.

If not using Db2 Connect, specify the library name of the AR, and place that library on the same path as the database manager libraries. On Windows operating systems, the path is drive:\sqllib\dll. On UNIX operating systems, the path is $HOME/sqllib/lib of the instance owner.

AUTHENTICATION
Specifies the authentication level. Valid values are:
SERVER
Specifies that authentication takes place on the node containing the target database.
CLIENT
Specifies that authentication takes place on the node from which the application is invoked.
SERVER_ENCRYPT
Specifies that authentication takes place on the database partition server containing the target database, and that user IDs and passwords are encrypted at the source. User IDs and passwords are decrypted at the target, as specified by the authentication type cataloged at the source.
SERVER_ENCRYPT_AES
Specifies that authentication takes place on the database partition server containing the target database, and that user IDs and passwords are encrypted with an Advanced Encryption Standard (AES) encryption algorithm at the source and decrypted at the target.
KERBEROS
Specifies that authentication takes place using Kerberos Security Mechanism.
TARGET PRINCIPAL principalname
Fully qualified Kerberos principal name for the target server; that is, the logon account of the Db2 server service in the form of userid@xxx.xxx.xxx.com or domain\userid.
TOKEN
Note: This option is available starting from Db2 version 11.5.4.
Specifies that authentication takes place on the database partition server containing the target database using a token. The type of token is specified as part of the CONNECT statement.
DATA_ENCRYPT
Specifies that authentication takes place on the node containing the target database, and that connections must use data encryption.
GSSPLUGIN
Specifies that authentication takes place using an external GSS API-based plug-in security mechanism.
WITH "comments"
Describes the Db2 server. Any comment that helps to describe the server registered in the network directory can be entered. Maximum length is 30 characters. A carriage return or a line feed character is not permitted. The comment text must be enclosed by double quotation marks.
USER username
Specifies the user's LDAP distinguished name (DN). The LDAP user DN must have sufficient authority to create the object in the LDAP directory. If the user's LDAP DN is not specified, the credentials of the current logon user will be used. If the user's LDAP DN and password have been specified using db2ldcfg, the user name and password do not have to be specified here.
PASSWORD password
Account password. If the user's LDAP DN and password have been specified using db2ldcfg, the user name and password do not have to be specified here.

Usage notes

If the node name is not specified, Db2 will use the first node in LDAP that represents the Db2 server on the current machine.

It might be necessary to manually register (catalog) the database in LDAP if:
  • The database server does not support LDAP. The administrator must manually register each database in LDAP to allow clients that support LDAP to access the database without having to catalog the database locally on each client machine.
  • The application wants to use a different name to connect to the database. In this case, the administrator can catalog the database using a different alias name.
  • The database resides at the host or System i database server. In this case, the administrator can register the database in LDAP and specify the gateway node through the GWNODE parameter.
  • During CREATE DATABASE IN LDAP the database name already exists in LDAP. The database is still created on the local machine (and can be accessed by local applications), but the existing entry in LDAP will not be modified to reflect the new database. In this case, the administrator can:
    • Remove the existing database entry in LDAP and manually register the new database in LDAP.
    • Register the new database in LDAP using a different alias name.