Configure LDAP Group Information

Three sets of LDAP groups are involved in user authorization of IBM® Db2® Data Management Console. Each set of group is assigned a role in console (admin role, DBA role or user role). For example, If an LDAP user is a member of an LDAP group and if that group is assigned admin role, then this user is assigned an administrator role in console. A user will not be able to login to console if no role is assigned to the user.

At least one group must be provided for admin role. Groups for other roles is optional. Nested groups are not supported. The stored members of these groups contain information of user entries.

Group DN:

The full DN value of a group should be provided. Partial DN, RDN and RDN value is not supported. IBM Db2 Data Management Console should be able to find the group entries in LDAP directly through their DN values, but not through LDAP search operations or attribute values of other LDAP entries like nested groups.

Please refer to task 'Requirements of LDAP DN Value' to check the restrictions on LDAP DN in IBM Db2 Data Management Console.

Most common object classes of LDAP entries which would be used as groups are like 'groupOfNames', 'groupOfUniqueNames' and 'posixGroup'. Customized group schema must fulfill the requirement that the groups contains information of users directly and the values of group members can not be duplicated.

Member attribute type:

Any LDAP entry which would be used as a group, must have a specific attribute type which is used to store information of LDAP user entries which are stored as its members. Value of field 'member attribute type' shoud be the type (or called attribute description) of this attribute. For example, 'member' for 'groupOfNames', 'uniqueMember' for 'groupOfUniqueNames' and 'memberUid' for 'posixGroup'.

User ID attribute type:

The values stored as member attribute values in an LDAP group must be some information which can be used to find the real user entries which are defined as members of the group in LDAP. Usually this value is the full DN value of the user entry or one of the attributes whose value are unique of the user entry. IBM Db2 Data Management Console does not support situations including storing customized values in group member attribute, storing partial DN or RDN in group member attribute, storing non-unique or multi-value attribute values of user entry in group member attribute.

The value of configuration field 'user ID attribute type' should be 'DN' if a group stores user full DN values in member attributes, or the real type (or called attribute description) of the attribute of user entry which is stored in a group's member attribute. For example, attribute type 'member' and 'uniqueMember' stores normalized full DN value of user entries, and attribute type 'memberUid' should contain 'uid' values of user entries.

Although the syntax of values of a group member attribute is exactly defined by its schema, the relationship between a group entry and user entries as its members are very loose. The group member attribute can store a value types totally different from what it should be. It can contain attributes which user entries do not have. It can contain values of non-existing user entries. It is extremely recommended to check the status of values of member attribute of the groups before configuration. A one to one correspondence should hold between group member values and LDAP user entries. Values of group members should be the normaliezd full DN value of user entries or an attribute which all user entries holds. All group members should store the same type of value and it should be the type exactly defined by its schema. And the stored values of group members should be exactly same with the real values of user entries.

When IBM Db2 Data Management Console checking if a user account is a member of an LDAP group, the equality matching rule is defined by the schema of attribute used to store group members.