Table of contents

Managing Db2 users with LDAP on a Red Hat OpenShift cluster

You can use the optional LDAP service that's included as part of the Db2® for Red Hat® OpenShift® offering to add and manage users for your Db2 instance.

Note: You must enable the LDAP service option in the db2u_install script prior to running it on your Red Hat OpenShift cluster for the Db2 user management to be available.

Adding Db2 Users

  1. Run the following commands to setup a terminal session with the tools pod. Set the variables PROJECT and RELEASE_NAME accordingly:
    PROJECT="" 
    RELEASE_NAME="" 
    tools_pod=$(oc get po -n ${PROJECT} -o name | grep ${RELEASE_NAME}-db2u-tools)
  2. Run the script, addLdapUser.py, to add an LDAP user. If the password argument is not provided, a prompt will be provided to enter the password securely.
    oc rsh ${tools_pod} addLdapUser.py

    Usage: addLdapUser.py [-h] -u USERNAME [-p PASSWORD] -r {admin,user}

    Arguments include:
    • -h, --help displays the help message and exit option
    • -u USERNAME, --username USERNAME defines the username for the new LDAP user (default: None)
    • -p PASSWORD, --password PASSWORD defines the password for the new LDAP user (default: Prompt if not specified)
    • -r {admin,user}, --roletype {admin,user} defines the role for the new LDAP user (admin or user)(default: None)
  3. Verify the newly created LDAP user ID and credential by following these steps:
    1. Exit from the LDAP pod.
      exit
    2. Log in to the Db2 pod.
      oc rsh db2u-deployment-db2u-0 /bin/bash
    3. Verify that the new LDAP user exists.
      id ldap-user
    4. Log in to a Db2 instance.
      su - db2inst1
    5. Connect to a database by using the newly created LDAP user ID:
      db2 connect to bludb user ldap_user using ldap_password

Changing a Db2 users's password

You can change the password of an existing LDAP user by running the script, changePassword.py:
 oc rsh ${tools_pod} changePassword.py

Usage: changePassword.py [-h] -u USERNAME [-cp CURRENTPASSWORD] [-np NEWPASSWORD]

Arguments include:
  • -h, --help displays help and exit option
  • -u USERNAME, --username USERNAME defines the username for the new LDAP user (default: None)
  • -cp CURRENTPASSWORD, --currentpassword CURRENTPASSWORD defines the current password for the LDAP user (default: prompt if not specified)
  • -np NEWPASSWORD, --newpassword NEWPASSWORD defines the new password for the LDAP user (default: Prompt if not specified)

Deleting a Db2 user

You can delete an existing LDAP user by running the script, removeLdapUser.py.
 oc rsh ${tools_pod} removeLdapUser.py

Usage: removeLdapUser.py [-h] -u USERNAME

Arguments include:
  • -h, --help displays help and exit option
  • -u USERNAME, --username USERNAME defines the username for the LDAP user to be removed (default: None)