Authentication
Authentication of a user is completed using a security facility outside of the Db2® database system. The security facility can be part of the operating system or a separate product.
The security facility requires two items to authenticate a user: a user ID and a password. The user ID identifies the user to the security facility. By supplying the correct password, information known only to the user and the security facility, the user's identity (corresponding to the user ID) is verified.
Note: In non-root installations,
operating system-based authentication must be enabled by running the db2rfe command.
After being authenticated:
- The user must be identified to Db2 using an SQL authorization name or authid. This name can be the same as the user ID, or a mapped value. For example, on UNIX operating systems, when you are using the default security plug-in module, a Db2 authid is derived by transforming to uppercase letters a UNIX user ID that follows Db2 naming conventions.
- A list of groups to which the user belongs is obtained. Group membership may be used when authorizing the user. Groups are security facility entities that must also map to Db2 authorization names. This mapping is done in a method similar to that used for user IDs.
The Db2 database manager uses the security facility to authenticate users in one of two ways:
- A successful security system login is used as evidence of identity,
and allows:
- Use of local commands to access local data
- Use of remote connections when the server trusts the client authentication.
- Successful validation of a user ID and password by the security
facility is used as evidence of identity and allows:
- Use of remote connections where the server requires proof of authentication
- Use of operations where the user wants to run a command under an identity other than the identity used for login.
Note: On some UNIX systems, the Db2database manager can
log failed password attempts with the operating system, and detect when a client has exceeded the
number of allowable login tries, as specified by the LOGINRETRIES parameter.