By default, Db2® Warehouse uses a
self-contained LDAP server for authentication and authorization. However, you can use an external
Microsoft Active Directory server instead.
Before you begin
If you want each node to join the Active Directory domain, which makes it easier for you to audit
activity, perform the following preliminary steps. If you want each node to instead act solely as an
LDAP client, skip these steps.
- Create an Active Directory computer account for each Db2 Warehouse node.
- Create a user to manage these accounts.
- Grant this user the following permissions for each account:
- Reset password
- Write DNS host name attributes
- Write msDS-SupportedEncryptionTypes
- Write Operating System
- Write Operating System Version
- Write operatingSystemServicePack
- Write servicePrincipalName
- Write userAccountControl
- Write userPrincipalName
Procedure
-
Create the following groups:
- bluadmin
- This is the group for Db2 Warehouse administrators.
The value of its CN attribute (the full or common name) must be
bluadmin.
- bluusers
- This is the group for Db2 Warehouse users. The value
of its CN attribute must be bluusers.
Note:
- Both groups must have the same location, that is, with the exception of their CN attributes, the
DNs of the two groups must be identical.
- For each group, the value of its SamAccountName attribute can be anything
other than bluadmin, which is reserved for the bluadmin user. For example, set
the SamAccountName attributes for the two groups to
bluadmin-group and bluusers-group.
-
Create the bluadmin user, who must be a member of the bluadmin group.
For the bluadmin user, specify at least the CN and
SamAccountName attributes; set both of these attributes to
bluadmin.
-
Ensure that the host name of the Active Directory domain controller is resolvable from all
nodes. For example, you can define the Active Directory domain controller in the
/etc/hosts file on each node host. If you define the Active Directory domain
controller by using this method, you must redeploy Db2 Warehouse.
-
Configure the Db2 Warehouse nodes to act as clients
of an Active Directory server:
- Use the web console:
- Click .
- Click External AD and specify Active Directory connection information. If
you want each node to join the Active Directory domain, click Join AD domain
and enter an administrator user ID and an administrator password. If you want each node to act
solely as an LDAP client, click LDAP only and do not enter an administrator
user ID or administrator password.
Note: If you specify a group base DN or user base DN:
- The group base DN must be at the same location as (that is, must be in the same directory as)
the bluadmin and bluusers groups.
- The user base DN is the same DN that you specified for the bluadmin user, but without the
CN attribute.
You can use the
--admin-group-name, --user-group-name, and
--admin-user-name parameters to override the default names for the
administrative group (default is bluadmin), user group (default is bluusers), and administrative
user (default is bluadmin). For example, you might want to use different groups and users depending
on whether your system is a production or test system. All other requirements for these groups and
user remain unchanged.
-
If needed, create additional Db2 Warehouse
administrators by adding them to the bluadmin group, and create additional Db2 Warehouse users by adding them to the bluusers group.
Use the same sort of approach that you used for creating the bluadmin user in step 2. The SamAccountName of each
administrator and user must be unique. The values of the CN and
SamAccountName attributes that you specify for a particular administrator or
user do not need to match.