Starting in DB2® V9.7
Fix Pack 1 and later, to ensure your DB2 database
server transparently uses LDAP-based authentication on the Solaris
operating system, you need to use Pluggable Authentication Modules
(PAM). Your LDAP server should already be configured to store user
and group information.
Before you begin
This procedure assumes that the LDAP server is RFC 2307
compliant.
About this task
This task describes the steps that re applicable to Solaris
10. The instructions might vary slightly for other version of Solaris
operating systems.
Procedure
- Configure your operating system for LDAP and PAM by performing
the following steps:
- Log in as a user with root authority.
- Ensure that the nss_ldap and pam_ldap packages
are installed. These two packages appear as nss_ldap.so and pam_ldap.so in /usr/lib and /usr/lib/security directories.
- Setup your operating system to act as a LDAP client
machine.
The ldapclient(1M)
interface
can be used to issue the ldapclient command. Here
is the sample output:
ldapclient manual -a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=<root> \
-a proxyPassword=<password> \
-a defaultSearchBase=<base> \
-a serviceSearchDescriptor=group:<group> \
-a domainName=<domain> \
-a defaultServerList=<IP>
where,
- <root>
- the bind dn to bind to LDAP. This is the dn of the user entry
in the LDAP server that is permitted to search the LDAP server for
user accounts and groups
- <password>
- the password for bind dn
- <base>
- the dn for the search base. This should be one level above the
user and group entry
- <group>
- the base dn for where the group information is stored
- <domain>
- the domain name for the LDAP server
- <IP>
- the IP address for the LDAP server
For more information, refer to the ldapclient(1M)
manual.
- Edit the PAM configuration file at /etc/pam.conf.
Add the following text to the file:
db2 auth requisite pam_authtok_get.so.1
db2 auth required pam_unix_cred.so.1
db2 auth sufficient pam_unix_auth.so.1
db2 auth required pam_ldap.so.1
The previous configuration first checks
the userid and password against the local file system. It will only
conduct a LDAP lookup if the user is not found or if authentication
with local file system fails.
DB2
supports PAM configurations that use pam_ldap.so and pam_unix_auth.so.
Configurations that use other PAM modules might work, but are not
supported.
- Setup your Solaris system to perform group lookup through
LDAP. Find the group and passwd entries
in /etc/nsswitch.conf file and ensure
ldap
is
entered as a lookup method. Here is an example of the
group and
passwd entry:
group: files ldap
passwd: files ldap
- Configure your DB2 instance
to use transparent LDAP authentication by performing the following
steps:
- Set the DB2AUTH miscellaneous registry
variable to OSAUTHDB.
Issue the following
command as a user with
SYSADM
authority:
db2set DB2AUTH=OSAUTHDB
- Set the authentication on the server to any one of the
following:
- SERVER
- SERVER_ENCRYPT
- DATA_ENCRYPT
- Ensure that you are using the default
Client
Userid-Password Plugin (clnt_pw_plugin)
, Server Userid-Password
Plugin (srvcon_pw_plugin)
and Group Plugin (group_plugin)
.
- Restart the DB2 instance.
Note: IBMLDAPSecurity.ini is not used by
transparent LDAP. This file is used only with LDAP plug-in modules.