To use IBM® Security Directory
Server as
a repository in your organization for identity and access management,
you must configure a DB2® database
with the directory server. A directory server stores a representation
of the directory in a DB2 database.
To implement a directory representation, directory server uses
database tables. You can use commands to list the database tables
that are associated with a directory server. It is not necessary to
access a directory server with DB2 commands,
this information might be useful to database administrators.
The IBM Security Directory
Server tables
can be grouped into the following categories:
- LDAP entry table
- Subtree tables
- Attribute tables
- ACL tables
- Replication tables
In the examples, the ldapdb2 DB2 database
name is used. To view the table that is associated with the database,
you must use the database instance owner credentials. For your environment,
substitute the database instance owner and database name as per your
configuration. You must switch the user context to the DB2 instance
owner to run the commands. For example, to log in with the ldapdb2 DB2 instance
owner credentials, run the following command:
- On AIX®, Linux®, and Solaris systems
su - ldapdb2
- On Windows systems
db2cmd
set DB2INSTANCE=ldapdb2
To connect to the database, run the following command:
db2 connect to ldapdb2
- LDAP entry table
- The LDAP entry category consists of a single table, the
LDAP_ENTRY table.
- The
LDAP_ENTRY table contains the LDIF definition
of each LDAP entry. One of the columns in the table is the EID (Entry
ID) column. All other tables of the database use the EID column
to identify the LDAP entry that is referenced from the LDAP_ENTRY table.
Directory server uses the LDAP_ENTRY table in the
following ways:
- To retrieve the requested attribute values for a ldapsearch command.
- To evaluate the one level scope on a ldapsearch command.
- The one level scope is evaluated by using the
EID (Parent EID )
column of the LDAP_ENTRY table. To include indexes
on the distinguished name (DN), the LDAP_ENTRY table
includes a DN_TRUNC column and a full non-searchable
DN column.
- To describe the
LDAP_ENTRY table, run the db2
describe command. The show detail parameters
are optional. db2 describe table ldap_entry show detail
To
find the EID of a particular DN, run the following
command. The dn_trunc value must be in uppercase. db2 "select eid from ldap_entry where dn_trunc = 'CN=USER1,O=SAMPLE'"
To
find the DN entry name of a particular EID, run the
following command:db2 "select dn_trunc from ldap_entry where eid = 100"
To
find the LDIF definition of a particular DN, run the following command:db2 "select ENTRYDATA from dap_entry where dn_trunc = 'CN=USER1,O=SAMPLE'"
To
find the DN entries for the first 10 rows in the LDAP_ENTRY table,
run the following command:db2 "select dn_trunc from ldap_entry fetch first 10 rows only"
To
find the DN entries for the next 10 rows in the LDAP_ENTRY table,
run the following command:db2 "select dn_trunc from ldap_entry where eid > 10 fetch first 10 rows only"
To
find all LDAP suffixes, run the following command:db2 "select dn_trunc from ldap_entry where peid = -1"
To
find the DN entries of all the immediate child entries (one level
search) of the LDAP entry with DN O=SAMPLE, run the
following command:db2 "select dn_trunc from ldap_entry where peid in \
(select eid from ldap_entry where dn_trunc = 'O=SAMPLE')"
- Subtree tables
- The subtree category consists of the
LDAP_DESC table
and the LDAP_GRP_DESC table. You can evaluate the
subtree scope on a ldapsearch command with the LDAP_DESC table.
This table contains a list of parent and child LDAP entry relationships
in two columns:
- A
Descendant EID or DEID column
- An
Ancestor EID or AEID column
- For each LDAP entry, there is a full list of parents for that
LDAP entry in the
LDAP_DESC table. Parent in this
case includes immediate parent and all ancestors. For example, the
following command lists all the parents or ancestors of EID 100:db2 "select * from ldap_desc where deid = 100"
- An example output that the command generates:
DEID AEID
------ -------
100 11
100 17
100 23
100 24
100 100
The output indicates that the EID is
four levels deep in the directory information tree.
- To find all the parent entries of an entry with the
EID value
100, run the following command: db2 "select dn_trunc from ldap_entry where eid = 100"
DN_TRUNC
---------------------
CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
The
parent entries along with the entry that match the filter is generated.CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE
OU=HRGROUP,OU=MYCITY,O=SAMPLE
OU=MYCITY,O=SAMPLE
O=SAMPLE
- You can join DB2 tables
in a single command to list all the parents of an LDAP entry with
the
CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE DN.
For example:
db2 "select * from ldap_desc where aeid in \
(select eid from ldap_entry where dn_trunc = \
'CN=TESTUSER1,CN=USERS,OU=HRGROUP,OU=MYCITY,O=SAMPLE')"
- The
LDAP_DESC table is also used in subtree searches.
To find all the child LDAP entries (both immediate and all descendants)
for the CN=USERS,O=SAMPLE LDAP entry, run the following
command: db2 "select * from ldap_desc where aeid in \
(select eid from ldap_entry where dn_trunc = \
'CN=USERS,O=SAMPLE')"
An example output: DEID AEID
-------- -----------
12 12
2000042 12
2000043 12
2000044 12
2000056 12
2000057 12
2000058 12
You can use the LDAP_GRP_DESC table
to track nested group relationships.
- Attribute tables
- The attribute tables consist of one table per attribute that
is used in the directory server. The purpose of the attribute tables
is to improve the performance of the LDAP searches with the search
filters, particularly when the attribute is indexed. The attribute
tables are named by the attributes they represent. For example, the DB2 table
for the
cn attribute is named cn.
- To describe the
cn table, run the following
command:db2 describe table cn
- The example output of the command is as follows:
Column name Data type Data type Column Scale Nulls
schema name Length
-------------- ---------- ------------ ------- ----- ------
EID SYSIBM INTEGER 4 0 No
CN SYSIBM VARCHAR 256 0 No
CN_T SYSIBM VARCHAR 240 0 No
RCN_T SYSIBM VARCHAR 240 0 No
4 record(s) selected.
- The
CN column contains the full name for the
attribute. The values in column, Column name, with names that end
with T are truncated to 240 character attribute name
that is used for searching. The column name beginning with R is
the attribute name in reverse. This column is used for searching for
attributes that are specified with a trailing wildcard.
- ACL tables
- The ACL tables consist of the
SRC, ACLPROP, OWNPROP, ENTRYOWNER, ACLPERM,
and ACLINHERIT tables. The SRC table identifies from
which LDAP entry a particular LDAP entry obtains the source for or
inherits its ACL and owner information. The SRC table is also the
attribute table for the aclsource and entryowner attributes.
- To describe the
src table, run the following
command:db2 describe table src
- The example output of the command is as follows:
Column name Data type Data type name Column Scale Nulls
schema Length
-------------------- --------- ------------------- ---------- ----- ------
EID SYSIBM INTEGER 4 0 Yes
ACLSRC SYSIBM INTEGER 4 0 Yes
OWNSRC SYSIBM INTEGER 4 0 Yes
ACLTYPE SYSIBM INTEGER 4 0 Yes
4 record(s) selected.
- The
ACLPROP and OWNPROP are
the attribute tables for the aclpropagate and ownerpropagate attributes.
The ACLPERM table is the attribute table for the aclentry attribute.
The ACLINHERIT table is the attribute table for the ibm-filterAclEntry attribute.
- Replication tables
- The replication tables consist of the
REPLSTATUS, REPLCHGnnnn, REPLERROR,
and several other tables. There is one REPLCHGnnnn table
for each replication context. Where, nnnn is EID of
the base entry of the replication context. The REPLCHGnnnn implements
the replication change table.
- The
REPLSTATUS table is a pointer to the REPLCHGnnnn table
that indicates the last replicated operation.