IBM Support

IC80417: TRANSPARENT LDAP WITH VAS ON AIX, GETGRSET MAY RETURN A GROUP ID THAT GETGRID FAILS TO RETRIEVE FULL GROUP INFORMATION FOR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DB2 Transparent LDAP on AIX makes use of the operating system
    functions 'getgrset' and 'getgrid' to gather a DB2 user's group
    membership information. 'getgrset' will return a list of group
    IDs to which a user belongs. 'getgrid' will return the full
    group information, such as the group name. The group information
    is used by DB2 to determine the user's database privileges.
    When the functions 'getgrset' and 'getgrid' fail, DB2 may not be
    able to obtain the full group membership and as a consequence,
    DB2 may not recognize the database privileges the User has been
    granted via group membership.
    
    With LAM customers can install third party modules, like the
    ones provided by VAS, that allow customizing of the behaviour of
    the functions 'getgrset' and 'getgrid'.  When the VAS LAM is
    installed, the 'getgrset' function may return a group ID which
    the 'getgrid' function will fail to retrieve the full group
    information for.
    
    DB2 was never officially tested with VAS LAM and hence can not
    claim support.  However, in the interest of our customers, we
    will be adding code to workaround the problem described in this
    APAR.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * DB2 Transparent LDAP Users                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * DB2 Transparent LDAP on AIX makes use of the operating       *
    * system                                                       *
    * functions getgrset and getgrid to gather a DB2 user's group  *
    * membership information.  getgrset will return a list of      *
    * group                                                        *
    * IDs to which a user belongs to.  getgrid will return the     *
    * full                                                         *
    * group information, such as the group name, given the group   *
    * ID.                                                          *
    * The group information is used by DB2 to determine the user's *
    * database privileges.  When the functions getgrset and        *
    * getgrid                                                      *
    * fail, DB2 may not be able to obtain the full group           *
    * membership                                                   *
    * and as a consequence, DB2 users will lose database           *
    * privileges                                                   *
    * to which they have been granted.                             *
    *                                                              *
    * With LAM, customers can install third party modules, like    *
    * the                                                          *
    * ones provided by VAS, that allow customizing the behaviour   *
    * of                                                           *
    * the functions getgrset and getgrid.  When the VAS LAM is     *
    * installed, the getgrset function may return a group ID which *
    * the                                                          *
    * getgrid function will fail to retrieve the full group        *
    * information for.                                             *
    *                                                              *
    * DB2 was never officially tested with VAS LAM and hence can   *
    * not                                                          *
    * claim support.  However, in the interest of our customers,   *
    * we                                                           *
    * will be adding code to workaround the problem described in   *
    * this                                                         *
    * APAR.                                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 V9.7 FP6                                      *
    ****************************************************************
    

Problem conclusion

  • Problem First Fixed in DB2 Version 9.7 Fix Pack 6
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC80417

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-12-14

  • Closed date

    2012-07-11

  • Last modified date

    2012-07-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC84268 IC88082

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
11 July 2012