Matt Palmers DB2 LDAP configuration on Linux

456

I wrote this which is basically a checklist of what needs doing to get LDAP working for DB2 on SuSE Linux installations

, as the ibm boulder site provides several contradictory installation processes. Hopefully this will help someone else and

save them the time that I wasted trawling the ibm site for the correct answer:

This list is mainly focused on the 8 character limit on DB2 (Linux)UW (which is I guess the only reason you might want to use the

security plugins instead as this will allow you to use more than 8 characters to authenticate against DB2.

What I ended up doing with the help of theLDAP admin was creating an LDAP alias of 8 characters for each user, as the

transparent LDAP (for me) seemed to work better than the security plugin approach.

Here goes:

install nss_ldap-32bit-262-11.16.x86_64.rpm,nss_ldap-262-11.16.x86_64.rpm,pam_ldap-32bit-184-147.20.x86_64.rpm and

pam_ldap-184-147.20.x86_64.rpm

edit /etc/ldap.conf to contain the necessary config for BASE DN and BIND DN for LDAP server.

host
base dc=ldapserver,dc-ldapserverdomain,dc=ldapserver.co.uk
bind_policy soft
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version 3
pam_filter objectClass=posixAccount
tls_checkpeer no

create /etc/pam.d/db2 and make read/write to root only

enter following:

auth       sufficient pam_ldap.so     use_first_pass
auth     required   pam_unix2.so
account  sufficient pam_ldap.so
account  required   pam_unix2.so
password required   pam_pwcheck.so
password sufficient pam_ldap.so      use_first_pass
password required   pam_unix2.so     use_authtok use_first_pass
session  required   pam_unix2.so

use Yast LDAP client screen to restart all the proper processes.

yast ldap pam disable/enable

check for presence of LDAP users in the db2cc list.
add a user to the preferred database and exit

db2set DB2AUTH=OSAUTHDB
login as an ‘LDAP user’ to server
export DB2DIR=/opt/ibm/db2/V9.7
export DB2INSTANCE=db2inst1(or other instance name)
unset USERNAME
source /home//sqllib/db2profile

db2 connect to TOOLSDB

####NEXT PART IS ONLY IF YOU OPT TO USE THE SECURITY PLUGIN APPROACH INSTEAD

OF THE TRANSPARENT LOGIN,ETC.###########

copy /opt/ibm/db2/version/cfg/IBMLDAPSecurity.ini /home/db2inst1/sqllib/cfg

db2 update dbm cfg using diaglevel 4

db2 update dbm cfg using SRVCON_PW_PLUGIN IBMLDAPauthserver

db2stop force

***PASTE the IBMLDAPSecurity.ini here ****

;———————————————————————-
; Licensed Materials – Property of IBM
;
; Governed under the terms of the International
; License Agreement for Non-Warranted Sample Code.
;
; (C) COPYRIGHT International Business Machines Corp. 2006
; All Rights Reserved.
;
; US Government Users Restricted Rights – Use, duplication or
; disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
;———————————————————————-
;
; Sample configuration file for the IBM DB2 LDAP Security Plugin
;
; The default name and location for this file is
;   UNIX:    INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
;   Windows: