I wrote this which is basically a checklist of what needs doing to get LDAP working for DB2 on SuSE Linux installations
, as the ibm boulder site provides several contradictory installation processes. Hopefully this will help someone else and
save them the time that I wasted trawling the ibm site for the correct answer:
This list is mainly focused on the 8 character limit on DB2 (Linux)UW (which is I guess the only reason you might want to use the
security plugins instead as this will allow you to use more than 8 characters to authenticate against DB2.
What I ended up doing with the help of theLDAP admin was creating an LDAP alias of 8 characters for each user, as the
transparent LDAP (for me) seemed to work better than the security plugin approach.
Here goes:
install nss_ldap-32bit-262-11.16.x86_64.rpm,nss_ldap-262-11.16.x86_64.rpm,pam_ldap-32bit-184-147.20.x86_64.rpm and
pam_ldap-184-147.20.x86_64.rpm
edit /etc/ldap.conf to contain the necessary config for BASE DN and BIND DN for LDAP server.
host
base dc=ldapserver,dc-ldapserverdomain,dc=ldapserver.co.uk
bind_policy soft
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version 3
pam_filter objectClass=posixAccount
tls_checkpeer no
create /etc/pam.d/db2 and make read/write to root only
enter following:
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix2.so
account sufficient pam_ldap.so
account required pam_unix2.so
password required pam_pwcheck.so
password sufficient pam_ldap.so use_first_pass
password required pam_unix2.so use_authtok use_first_pass
session required pam_unix2.so
use Yast LDAP client screen to restart all the proper processes.
” yast ldap pam disable/enable “
check for presence of LDAP users in the db2cc list.
add a user to the preferred database and exit
db2set DB2AUTH=OSAUTHDB
login as an ‘LDAP user’ to server
export DB2DIR=/opt/ibm/db2/V9.7
export DB2INSTANCE=db2inst1(or other instance name)
unset USERNAME
source /home//sqllib/db2profile
db2 connect to TOOLSDB
####NEXT PART IS ONLY IF YOU OPT TO USE THE SECURITY PLUGIN APPROACH INSTEAD
OF THE TRANSPARENT LOGIN,ETC.###########
copy /opt/ibm/db2/version/cfg/IBMLDAPSecurity.ini /home/db2inst1/sqllib/cfg
db2 update dbm cfg using diaglevel 4
db2 update dbm cfg using SRVCON_PW_PLUGIN IBMLDAPauthserver
db2stop force
***PASTE the IBMLDAPSecurity.ini here ****
;———————————————————————-
; Licensed Materials – Property of IBM
;
; Governed under the terms of the International
; License Agreement for Non-Warranted Sample Code.
;
; (C) COPYRIGHT International Business Machines Corp. 2006
; All Rights Reserved.
;
; US Government Users Restricted Rights – Use, duplication or
; disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
;———————————————————————-
;
; Sample configuration file for the IBM DB2 LDAP Security Plugin
;
; The default name and location for this file is
; UNIX: INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
; Windows: