Authentication of a user is completed using a security
facility outside of the DB2® database
system. The security facility can be part of the operating system
or a separate product.
The security facility requires two items to authenticate a user:
a user ID and a password. The user ID identifies the user to the security
facility. By supplying the correct password, information known only
to the user and the security facility, the user's identity (corresponding
to the user ID) is verified.
Note: In non-root installations,
operating system-based authentication must be enabled by running the db2rfe command.
After being authenticated:
- The user must be identified to DB2 using
an SQL authorization name or authid. This name can be the same
as the user ID, or a mapped value. For example, on UNIX operating systems, when you are using the
default security plug-in module, a DB2 authid is
derived by transforming to uppercase letters a UNIX user ID that follows DB2 naming conventions.
- A list of groups to which the user belongs is obtained. Group
membership may be used when authorizing the user. Groups are security
facility entities that must also map to DB2 authorization
names. This mapping is done in a method similar to that used for user
IDs.
The DB2 database manager
uses the security facility to authenticate users in one of two ways:
- A successful security system login is used as evidence of identity,
and allows:
- Use of local commands to access local data
- Use of remote connections when the server trusts the client authentication.
- Successful validation of a user ID and password by the security
facility is used as evidence of identity and allows:
- Use of remote connections where the server requires proof of authentication
- Use of operations where the user wants to run a command under
an identity other than the identity used for login.
Note: On some UNIX systems,
the DB2 database manager can
log failed password attempts with the operating system, and detect
when a client has exceeded the number of allowable login tries, as
specified by the LOGINRETRIES parameter.