Additional configuration options

These are additional configuration options to keep in mind as users configure LDAP-based authentication.

Making customizations to the PAM configuration of Db2

To make customizations to the Db2® PAM configuration that do not apply to the rest of the system, make a copy of the system PAM configuration to create the Db2 PAM configuration file.
  • On RHEL systems run:
    cp /etc/pam.d/system-auth /etc/pam.d/db2
  • On SLES and Ubuntu systems run:
    cat /etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session > /etc/pam.d/db2

If this step is done, the Db2 authentication configuration will not match the system authentication configuration and future changes made to the system authentication configuration may not be reflected in Db2.

Enforce password history and password quality requirements during a password change

Because the Db2 check password daemons run as the root user, some PAM modules such as pam_pwhistory and pam_pwquality will not enforce password requirements.

To ensure password quality and history requirements are enforced for a password change, the enforce_for_root option must be added to the module's entry in the PAM configuration file.

Alternate group base DN

If the base DN for group searches is different than the default search base, add the following line to the [domain/default] section of the /etc/sssd/sssd.conf file:
ldap_group_search_base = <Group base DN>

LDAP authenticated bind

If your LDAP server requires authentication (anonymous binds are not allowed), add the following lines to the [domain/default] section of the /etc/sssd/sssd.conf file after running the authconfig or authselect commands:
ldap_default_bind_dn=<bind DN>
ldap_default_authtok=<password>
Then, restart the SSSD for the changes to take effect by running:
systemctl restart sssd

Disallow interactive login from all LDAP users by changing the default shell

Add the following parameter under the [domain/default] section of the /etc/sssd/sssd.conf file. This will override the shell of all users authenticated through SSSD and will prevent an interactive login but will allow users to authenticate with Db2.
  • For RHEL and SLES: override_shell = /sbin/nologin
  • For Ubuntu: override_shell = /usr/sbin/nologin

Control who can login to the server using the pam_access module

More granular control over who is allowed access to the system can be provided by the pam_access module. It can be enabled using the following commands based on your operating system:
  • RHEL 7: authconfig --enablepamaccess --update
  • RHEL 8: authselect select sssd with with-pamaccess
  • SLES: pam-config --add --access
  • Ubuntu: Add the following line to the beginning of /etc/pam.d/common-account: account required pam_access.so
Then modify the /etc/security/access.conf file and add the following lines:
+ : root wheel : ALL
+ : db2inst1 : ALL
-: ALL : ALL

This configuration will allow root, members of the wheel group, and the Db2 instance owner (db2inst1) access to the system.

To allow other users to log in to Db2 only, take a backup of the Db2 PAM configuration file and run the following command based on your operating system:
  • For RHEL:
     grep -v pam_access.so /etc/pam.d/system-auth > /etc/pam.d/db2
  • For SLES and Ubuntu: 
    grep -v pam_access.so /etc/pam.d/common-auth  /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session > /etc/pam.d/db2
This will make a copy of the system authentication configuration, except for lines containing the pam_access.so module. This will allow any user to connect to Db2, but they will be denied access to other services in the operating system.
Note: The Db2 authentication configuration will no longer match the system authentication configuration.