Configuring transparent LDAP for authentication and group lookup (Linux)

Starting in Db2® V9.7 Fix Pack 1 and later, to ensure the Db2 database server transparently uses LDAP-based authentication on the Linux® operating system, use Pluggable Authentication Modules (PAM). Your LDAP server should already be configured to store user and group information.

Before you begin

Before attempting to configure transparent LDAP on your system , ensure that the following conditions exist:
  • An RFC 2307 compliant LDAP server is set up on your system.
  • The required client software packages and dependencies are installed on your system.
    • For RHEL 6 and 7 systems, run the following command:
      yum install openldap openldap-clients sssd sssd-client authconfig
    • For RHEL 8 systems, run the following command:
      yum install openldap openldap-clients sssd sssd-client authselect
    • For SUSE Linux Enterprise Server (SLES) 12 or 15 systems, run the following command:
      zypper install sssd-ldap sssd
    • For Ubuntu systems, run the following command:
      apt install sssd-ldap ldap-utils

About this task

The procedure configures the System Security Services Daemon (SSSD) and its associated PAM module (pam_sss) to provide authentication services to the operating system and Db2. Using SSSD is the recommended configuration.

Note: SSSD requires TLS support to be enabled at the LDAP server.

Configurations that use pam_ldap, pam_unix, pam_unix2, and pam_krb5 for authentication are also supported by Db2. Configurations using other PAM modules might work, but are unsupported. If the desired authentication method is already configured on the system, go to Db2 Authentication Configuration.

To successfully configure transparent LDAP, the following details are needed:
  • Hostname of the LDAP server
  • Port of the LDAP server (default for full time TLS is 636, if StartTLS is supported, the default is 389)
  • LDAP search base DN
  • The root certificate, or the URL to the root certificate, for the LDAP server.
  • If authentication is required, the Bind DN and password
For the purposes of this procedure, the following details are used for the LDAP configuration:
Item Value
Hostname ldap.example.com
Port 636 (Default for LDAP over TLS)
TLS enabled Yes
TLS certificate URL http://example.com/cacombined.pem
LDAP search base DN ou=Anytown, o=example.com
Authentication Not required

Procedure

  1. Enable system LDAP authentication through SSSD. If the desired authentication method has already been configured on the system, go to step 2.
  2. Configure Db2 to use Pluggable Authentication Modules (PAM), also known as Transparent LDAP, to authenticate with the operating system.
  3. Optional: Configure any additional authentication options.