Configuring transparent LDAP for authentication and group lookup (AIX)

Starting in Db2® V9.7, transparent LDAP-based authentication and group look up are supported on the AIX® operating system. Some configuration steps are required before this support is enabled.

Before you begin

These steps assume that the LDAP server is RFC 2307 compliant and configured to store user and group information.

Procedure

  1. To configure your AIX client system for LDAP, perform the following steps:
    1. Log in as a user with root authority.
    2. Ensure that the LDAP client file set has been installed on your AIX system.
      AIX works with all versions of LDAP clients: ITDS V6.1 which ships with AIX V6.1, and ITDS V6.2 which ships with the AIX expansion pack. The following shows ITDS V5.2 file sets installed on and AIX system:
      $ lslpp -l "ldap*"
  Fileset                      Level  State      Description         
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  ldap.client.adt            5.2.0.0  COMMITTED  Directory Client SDK
  ldap.client.rte            5.2.0.0  COMMITTED  Directory Client Runtime (No
                                                 SSL)
  ldap.html.en_US.config     5.2.0.0  COMMITTED  Directory Install/Config
                                                 Gd-U.S. English
  ldap.html.en_US.man        5.2.0.0  COMMITTED  Directory Man Pages - U.S.
                                                 English
  ldap.msg.en_US             5.2.0.0  COMMITTED  Directory Messages - U.S.
                                                 English

Path: /etc/objrepos
  ldap.client.rte            5.2.0.0  COMMITTED  Directory Client Runtime (No
                                                 SSL)
    3. Using the mksecldap command with the -c option, configure the client.
      For more information about the mksecldap command and how to use it to configure the client, see Setting up an IBM Security Directory Server
    4. Update the default stanza in the /etc/security/user file.
      The SYSTEM attribute in the /etc/security/user file is used to specify the authentication method used for user management. To enable LDAP authentication, set the SYSTEM attribute in the default stanza to include LDAP in addition to local user authentication. The default stanza must be modified so that LDAP is searched for users that are not defined locally. For example:
      chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP"
      Db2 supports the following SYSTEM attribute values:
      • LDAP
      • KRB5LDAP
      • KRB5ALDAP
      • files
      • KRB5files
      • KRB5Afiles

      Configurations that use other SYSTEM attribute values might work, but are not supported.

      For more information on the stanza SYSTEM attribute, see User authentication.

    For more details, refer to the redbook titled, Integrating AIX into Heterogeneous LDAP Environments, at: http://www.redbooks.ibm.com/abstracts/sg247165.html
  2. To configure transparent LDAP authentication on your Db2 instance:
    1. Set the DB2AUTH miscellaneous registry variable to OSAUTHDB. As a user with SYSADM authority run db2set DB2AUTH=OSAUTHDB.
    2. Using the UPDATE DBM CFG command, set the authentication on the database server instance to any one of the following:
      • SERVER
      • SERVER_ENCRYPT
    3. Ensure that you are using the default Client Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin).
    4. Restart the Db2 instance.
    Attention: SERVER_ENCRYPT is disabled on Db2 clients and servers running in strict FIPS mode. You are recommended to use SERVER authentication with TLS as a more secure alternative. For more information on TLS, see Encryption of data in transit.