IBM Support

Setting up LDAP on Db2U Next Generation

General Page

The Db2U next generation operator introduces a streamlined, Kubernetes-native approach to deploying and managing Db2 and Db2 Warehouse services. To set up LDAP on Db2U Next Gen, an LDAP Settings ConfigMap must be created.
LDAP (Lightweight Directory Access Protocol) is used to integrate with external directory services for centralized user authentication and access control. To set up LDAP on Db2U Next Gen, an LDAP Settings ConfigMap must be created. Depending on how LDAP will be used, either through the GSS plugin or through SSSD, the required ConfigMap fields differ.

Before you begin
 

To use the GSS plugin, the following fields are required:

  • ldap.conf
  • IBMIAMauthldap.ini (a custom config file unique to IBM)

To use SSSD, the following are required:

  • ldap.conf
  • sssd.conf
  • nsswitch.conf
 

Schema

ldap.confsssd.conf and nsswitch.conf are standard configuration files. Comprehensive documentation for each can be found online.

Below is the schema for the IBMIAMauthldap.ini file:
 

Schema for the IBMIAMauthldap.ini file
Field namePurposeRequired
LDAP_HOSTSpecifies the LDAP server hostname or URI used for authentication and lookups.Yes
ENABLE_SSLEnables SSL/TLS for securing LDAP communication.No
SSL_KEYFILEPath to the SSL private key file.No
SSL_PWPassword to decrypt the SSL key file.No
SEARCH_DNDN used to bind to LDAP for search operations.No
SEARCH_PWPassword used with SEARCH_DN. By default the plugin uses an encrypted file containing the search password, but can be overridden with this field. No
USER_BASEDNSearch base for locating user entries.No
USERID_ATTRIBUTEAttribute used for matching login names.Yes (for user authentication)
AUTHID_ATTRIBUTEAttribute used to derive the authorization ID.Yes
USER_OBJECTCLASSObject class that defines user entries.Yes
GROUP_BASEDNBase DN for locating group entries.No
GROUP_OBJECTCLASSObject class that defines group entries.Yes (for group lookup)
GROUP_LOOKUP_ATTRIBUTEAttribute listing group members.Yes (for group lookup)
GROUPNAME_ATTRIBUTEAttribute used as the group name.Yes (for group lookup)
NESTED_GROUPSEnables lookup of nested group memberships.No
GROUP_LOOKUP_METHODSpecifies how group memberships are resolved: USER_ATTRIBUTE or SEARCH_BY_DN.Yes (for group loockup)
FOLLOW_REFERRALSEnables following of LDAP referrals.No
DEBUGSets logging level for debugging.No
FIPS_MODEEnables FIPS-compliant crypto mode.No
SECURITY_PROTOCOLSpecifies allowed TLS protocol versions.No
SSL_EXTN_SIGALGSignature algorithm for TLS certificate validation.No


Sample ConfigMaps

Below is an example ConfigMap for setting up LDAP via the GSS plugin:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ldap-config
data:
  ldap.conf: |
    SASL_NOCANON    on
    URI myldapserver:389
    BASE dc=example,dc=example
    TLS_REQCERT never
  IBMIAMauthldap.ini: |
    ;----------------------------------------------------------------------
    ; SERVER RELATED VALUES
    ;----------------------------------------------------------------------

    ; LDAP_HOST
    ; Name of your LDAP server(s).
    ; This is a space separated list of LDAP server hostnames or IP
    ; addresses, with an option port number for each one:
    ;    host1[:port] [host2:[port2] ... ]
    ; The default port number is 389, or 636 if SSL is enabled.
    LDAP_HOST = myldapserver

    ; FIPS_MODE
    ; To set SSL encryption FIPS mode on or off.
    ; Optional; Valid values are true (on) and false (off).  Defaults to
    ; true (FIPS mode on).
    FIPS_MODE = true

    ;----------------------------------------------------------------------
    ; USER RELATED VALUES
    ;----------------------------------------------------------------------

    ; USER_OBJECTCLASS
    ; LDAP object class used for users
    ; Generally "inetOrgPerson" ("user" for MSAD)
    ; internal ldap: 'posixAccount'
    USER_OBJECTCLASS = user

    ; USER_BASEDN
    ; LDAP base DN to use when searching for users.
    ; This is optional.  If not specified, user searches will
    ; start at the root of the LDAP directory. Some LDAP servers (particularly
    ; MSAD) may require that you specify a value for this parameter.
    ; internal ldap: 'ou=People,dc=blustratus,dc=com'
    USER_BASEDN = cn=example

    ; USERID_ATTRIBUTE
    ; LDAP user attribute that represents the "userid"
    ; This attribute is combined with the USER_OBJECTCLASS and USER_BASEDN
    ; (if specified) to construct an LDAP search filter when a user issues
    ; a DB2 CONNECT statement with an unqualified userid.
    ; For example, using the default values in this configuration file,
    ;    db2 connect to MYDB user bob using bobpass
    ; results in the following search filter:
    ;    &(objectClass=inetOrgPerson)(uid=bob)
    ; For MSAD, this is frequently "sAMAccountName".
    ; internal ldap: 'uid'
    USERID_ATTRIBUTE = uid

    ; AUTHID_ATTRIBUTE
    ; LDAP user attribute that represents the DB2 "authorization ID"
    ; (typically this is the same as the USERID_ATTRIBUTE).
    ; Again, for MSAD this is frequently "sAMAccountName".
    ; internal ldap: 'uid'
    AUTHID_ATTRIBUTE = uid


    ;----------------------------------------------------------------------
    ; GROUP RELATED VALUES
    ;----------------------------------------------------------------------

    ; GROUP_OBJECTCLASS
    ; LDAP object class used for groups
    ; Generally "groupOfNames" or "groupOfUniqueNames" ("group" for MSAD)
    ; internal ldap: 'posixGroup'
    GROUP_OBJECTCLASS = group

    ; GROUP_BASEDN
    ; LDAP base DN to use when searching for groups
    ; This is optional.  If not specified, group searches will
    ; start at the root of the LDAP directory. Some LDAP servers (MSAD)
    ; require that you specify a value for this parameter.
    ; internal ldap: 'ou=Groups,dc=blustratus,dc=com'
    GROUP_BASEDN = cn=example
    ; GROUPNAME_ATTRIBUTE
    ; LDAP group attribute that represents the name of the group
    ; internal ldap: 'cn'
    GROUPNAME_ATTRIBUTE = cn

    ; GROUP_LOOKUP_METHOD
    ; Determines the method used to find the group memberships for a user.
    ; Possible values are:
    ;  SEARCH_BY_DN   - Search for groups that list the user as a member.
    ;                   Membership is indicated by the group attribute defined
    ;                   as GROUP_LOOKUP_ATTRIBUTE (typically "member" or
    ;                   "uniqueMember").
    ;  USER_ATTRIBUTE - A user's groups are listed as attributes of the user
    ;                   object itself.  Search for the user attribute defined
    ;                   as GROUP_LOOKUP_ATTRIBUTE to get the groups (typically
    ;                   "memberOf" for MSAD or "ibm-allGroups" for ITDS).
    ; Many MSAD installation use "GROUP_LOOKUP_METHOD = USER_ATTRIBUTE" and
    ; "GROUP_LOOKUP_ATTRIBUTE = memberOf".
    ; internal ldap: 'SEARCH_BY_DN'
    GROUP_LOOKUP_METHOD = SEARCH_BY_DN

    ; GROUP_LOOKUP_ATTRIBUTE
    ; Name of the attribute used to determine group membership, as described
    ; above.
    ; internal ldap: 'memberUid'
    GROUP_LOOKUP_ATTRIBUTE = memberUid

    ;----------------------------------------------------------------------
    ; MISCELLANEOUS VALUES
    ;----------------------------------------------------------------------

    ; SEARCH_DN and SEARCH_PW
    ; If your LDAP server does not support anonymous access, or if anonymous
    ; access is not sufficient when searching for users or groups, then you
    ; can define a DN and password that will be used to perform searches.
    ; Optional.
    ;
    ; MSAD does not, by default, allow anonymous search and will require
    ; a SEARCH_DN and SEARCH_PW.
    ; internal ldap:
    ;   SEARCH_DN = 'cn=bluldap,dc=blustratus,dc=com'
    ;   SEARCH_PW is created for db2credman
    SEARCH_DN = cn=db2public,dc=dlud,dc=torolab,dc=ibm,dc=com
    SEARCH_PW_STASHFILE = /mnt/blumeta0/home/db2inst1/sqllib/security64/plugin/IBM/server/IBMIAMauthpasswd.sth


Below is an example ConfigMap for setting up LDAP via SSSD:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ldap-config-1
  namespace: ngoperator
data:
  ldap.conf: |
    SASL_NOCANON    on
    URI myldapserver:389
    BASE dc=example,dc=exmaple
    TLS_REQCERT never
  sssd.conf: |
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = adldap, local
    debug_level = 1
    [nss]
    # List local ID/Group to prevent unnecessary LDAP search for the local accounts.
    # SSSD will perform ldap query even though a target account is local account.
    # Please add your local account which is used for frequent use like DB account,
    # otherwise, you'll have some performance decreasing.
    filter_groups = root, suer,
    filter_users = root, ibmadmin, db2inst1, dsadm
    # Disable caching for customer issue with groups being out of sync causing Db2 connection problems.
    #memcache_timeout = 0
    entry_negative_timeout = 0
    [pam]
    [domain/local]
    ldap_tls_reqcert = never
    auth_provider = ldap
    ldap_schema = myschema
    ldap_search_base = dc=example
    id_provider = ldap
    ldap_id_use_start_tls = True
    ldap_uri = ldap://localhost:50389/
    cache_credentials = True
    entry_cache_timeout = 600
    ldap_network_timeout = 3
    #debug_level = 1
    ldap_rfc2307_fallback_to_local_users = True
    ldap_opt_timeout = 60
    ldap_search_timeout = 30
    ldap_referrals = False
    override_homedir = /mnt/blumeta0/home/%u
    # Disable user caching for Spark tests that recreate lots of users.
    entry_cache_user_timeout = 0
    # Alleviate connection time problems with large groups
    ignore_group_members = True
    # Disable caching for customer issue with groups being out of sync causing Db2 connection problems.
    entry_cache_group_timeout = 0
    [domain/adldap]
    ldap_tls_reqcert = never
    auth_provider = ldap
    ldap_schema = AD
    ldap_search_base = DC=example
    id_provider = ldap
    ldap_id_use_start_tls = True
    ldap_uri = myldapserver
    cache_credentials = True
    entry_cache_timeout = 600
    ldap_network_timeout = 30
    ldap_rfc2307_fallback_to_local_users = True
    ldap_opt_timeout = 60
    ldap_search_timeout = 30
    ldap_referrals = False
    override_homedir = /mnt/blumeta0/home/%u
    entry_cache_user_timeout = 0
    ignore_group_members = True
    entry_cache_group_timeout = 0
    ldap_user_search_base = cn=example
    ldap_group_member = member
    ldap_group_name = CN
    ldap_user_name = sAMAccountName
    ldap_group_object_class = group
    ldap_user_object_class = user
    ldap_default_bind_dn = cn=example
    ldap_default_authtok = mypassword
    ldap_id_mapping = True
    override_shell = /bin/bash
    case_sensitive = False
    ldap_user_modify_timestamp = whenChanged
    ldap_group_modify_timestamp = whenChanged
  nsswitch.conf: |
    passwd:     {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-passwd"}
    group:      {if "with-files-domain":sss [SUCCESS=merge] files [SUCCESS=merge]|files [SUCCESS=merge] sss [SUCCESS=merge]} systemd   {exclude if "with-custom-group"}
    netgroup:   sss files           {exclude if "with-custom-netgroup"}
    automount:  sss files           {exclude if "with-custom-automount"}
    services:   sss files           {exclude if "with-custom-services"}
    sudoers:    files sss           {include if "with-sudo"}
    subid:      sss {include if "with-subid"}
 
Related links
 

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"ARM Category":[{"code":"a8m3p000000LPvoAAG","label":"Openshift"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.1.3"}]

Document Information

Modified date:
05 November 2025

UID

ibm17248285

Page Feedback