Setting up a Microsoft Active Directory server

By default, Db2® Warehouse uses a self-contained LDAP server for authentication and authorization. However, you can use an external Microsoft Active Directory server instead.

Before you begin

If you want each node to join the Active Directory domain, which makes it easier for you to audit activity, perform the following preliminary steps. If you want each node to instead act solely as an LDAP client, skip these steps.
  1. Create an Active Directory computer account for each Db2 Warehouse node.
  2. Create a user to manage these accounts.
  3. Grant this user the following permissions for each account:
    • Reset password
    • Write DNS host name attributes
    • Write msDS-SupportedEncryptionTypes
    • Write Operating System
    • Write Operating System Version
    • Write operatingSystemServicePack
    • Write servicePrincipalName
    • Write userAccountControl
    • Write userPrincipalName

Procedure

  1. Create the following groups:
    bluadmin
    This is the group for Db2 Warehouse administrators. The value of its CN attribute (the full or common name) must be bluadmin.
    bluusers
    This is the group for Db2 Warehouse users. The value of its CN attribute must be bluusers.
    Note:
    • Both groups must have the same location, that is, with the exception of their CN attributes, the DNs of the two groups must be identical.
    • For each group, the value of its SamAccountName attribute can be anything other than bluadmin, which is reserved for the bluadmin user. For example, set the SamAccountName attributes for the two groups to bluadmin-group and bluusers-group.
  2. Create the bluadmin user, who must be a member of the bluadmin group.
    For the bluadmin user, specify at least the CN and SamAccountName attributes; set both of these attributes to bluadmin.
  3. Ensure that the host name of the Active Directory domain controller is resolvable from all nodes. For example, you can define the Active Directory domain controller in the /etc/hosts file on each node host. If you define the Active Directory domain controller by using this method, you must redeploy Db2 Warehouse.
  4. Configure the Db2 Warehouse nodes to act as clients of an Active Directory server:
    • Use the web console:
      1. Click Settings > External User Management.
      2. Click External AD and specify Active Directory connection information. If you want each node to join the Active Directory domain, click Join AD domain and enter an administrator user ID and an administrator password. If you want each node to act solely as an LDAP client, click LDAP only and do not enter an administrator user ID or administrator password.
    • From the head node, issue the docker exec -it Db2wh configure_user_management or podman exec -it Db2wh configure_user_management command in one of the following ways:
      • If you want each node to join the Active Directory domain, specify the --type ad parameter. For the --realm-user and --realm-user-password parameters, specify the user ID and password that you created to manage the computer account on each node. An example follows:
        docker exec -it Db2wh configure_user_management --type ad --host myhost.example.com --port 389 --realm-user Db2whAdmin –-realm-user-password passwd --searcher-dn cn=searcher,cn=users,dc=example,dc=org --searcher-password passwd 
        podman exec -it Db2wh configure_user_management --type ad --host myhost.example.com --port 389 --realm-user Db2whAdmin –-realm-user-password passwd --searcher-dn cn=searcher,cn=users,dc=example,dc=org --searcher-password passwd
      • If you want each node to act solely as an LDAP client, specify the --type ad-ldap parameter, and omit the --realm-user and --realm-user-password parameters. An example follows:
        docker exec -it Db2wh configure_user_management --type ad-ldap --host myhost.example.com --port 389 --searcher-dn cn=searcher,cn=users,dc=example,dc=org --searcher-password passwd
        podman exec -it Db2wh configure_user_management --type ad-ldap --host myhost.example.com --port 389 --searcher-dn cn=searcher,cn=users,dc=example,dc=org --searcher-password passwd
    Note: If you specify a group base DN or user base DN:
    • The group base DN must be at the same location as (that is, must be in the same directory as) the bluadmin and bluusers groups.
    • The user base DN is the same DN that you specified for the bluadmin user, but without the CN attribute.

    You can use the --admin-group-name, --user-group-name, and --admin-user-name parameters to override the default names for the administrative group (default is bluadmin), user group (default is bluusers), and administrative user (default is bluadmin). For example, you might want to use different groups and users depending on whether your system is a production or test system. All other requirements for these groups and user remain unchanged.

    For more information, see configure_user_management.

  5. If needed, create additional Db2 Warehouse administrators by adding them to the bluadmin group, and create additional Db2 Warehouse users by adding them to the bluusers group. Use the same sort of approach that you used for creating the bluadmin user in step 2. The SamAccountName of each administrator and user must be unique. The values of the CN and SamAccountName attributes that you specify for a particular administrator or user do not need to match.