DB2 Version 9.7 for Linux, UNIX, and Windows

Configuring transparent LDAP for authentication and group lookup (Linux)

Starting in DB2® V9.7 Fix Pack 1 and later, to ensure the DB2 database server transparently uses LDAP-based authentication on the Linux operating system, use Pluggable Authentication Modules (PAM). Your LDAP server should already be configured to store user and group information.

Before you begin

To enable support for transparent LDAP on the DB2 database, complete the following tasks:
  1. Configure your operating system to authenticate users using PAM
  2. Configure your DB2 instance
The steps assume that the LDAP server is RFC 2307 compliant.


  1. To configure your operating system for LDAP and PAM, perform the following steps:
    1. Log in as a user with root authority.
    2. Ensure that the nss_ldap and pam_ldap packages are installed. These two packages appear as libnss_ldap.so and libpam_ldap.so in the /lib(64) or /usr/lib(64) directories.
    3. Set up your operating system to act as a LDAP client machine by modifying the /etc/ldap.conf file to enable the operating system to bind with a LDAP server. Here's a sample /etc/ldap.conf file:
      host <host>              # Address of ldap server
      base <base>              # The DN of the search base.
      rootbinddn <binddn>      # The bind DN to bind to LDAP
      ldap_version 3           # LDAP version
      pam_login_attribute uid  # user ID attribute for pam user lookups
      nss_base_group <group>   # nsswitch configuration pertaining to group search lookup
    4. Set your password in the /etc/ldap.secret file. Only the root user should be able to read or write to this file.
    5. Create or modify the PAM configuration file at /etc/pam.d/db2. The file should be only be readable and writable by root. You might have to modify the configuration file, depending on the version of the operating system that is being used. Here is a sample configuration file for SUSE Linux Enterprise Server 10:
      auth     sufficient pam_unix2.so
      auth     required   pam_ldap.so     use_first_pass   
      account  sufficient pam_unix2.so
      account  required   pam_ldap.so
      password required   pam_pwcheck.so 
      password sufficient pam_unix2.so    use_authtok use_first_pass
      password required   pam_ldap.so     use_first_pass
      session  required   pam_unix2.so

      For Red Hat Enterprise Linux 5, modify the configuration file as follows:

      auth    required    pam_env.so 
      auth    sufficient  pam_unix.so likeauth nullok 
      auth    sufficient  pam_ldap.so use_first_pass 
      auth    required    pam_deny.so 
      account  required   pam_unix.so 
      account  sufficient pam_succeed_if.so uid < 100 quiet 
      account  sufficient pam_ldap.so  
      account  required   pam_permit.so 
      password requisite  pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 
      password sufficient pam_unix.so nullok use_authtok md5 shadowremember=3 
      password sufficient pam_ldap.so  use_first_pass 
      password required   pam_deny.so 
      session  required   pam_limits.so 
      session  required   pam_unix.so 

      DB2 supports PAM configurations that use pam_ldap.so, pam_unix.so, and pam_unix2.so. Configurations that use other PAM modules might work, but are not supported.

    6. Setup your Linux system to perform group lookup through LDAP. Find the group and passwd entries in /etc/nsswitch.conf file and ensure ldap is entered as a lookup method. Here is an example of the group and passwd entry:
      group:          files ldap
      passwd:         files ldap
  2. To configure transparent LDAP authentication on your DB2 instance:
    1. Set the DB2AUTH miscellaneous registry variable to OSAUTHDB. As a user with SYSADM authority run db2set DB2AUTH=OSAUTHDB.
    2. Using the UPDATE DBM CFG command, set the authentication on the database server instance to any one of the following:
      • SERVER
      • CLIENT
    3. Ensure that you are using the default empty values for Client Userid-Password Plugin (clnt_pw_plugin), Server Userid-Password Plugin (srvcon_pw_plugin) and Group Plugin (group_plugin). The default plug-ins are IBMOSauthclb ient, IBMOSauthserver and IBMOSgroups, and those plug-ins are implied if you leave the values for the plug-in name empty.
    4. Restart the DB2 instance.
    Note: IBMLDAPSecurity.ini is not used by transparent LDAP. This file is used only with LDAP plug-in modules.