-
Title
How to enable Transparent LDAP authentication to allow Active Directory authentication in DB2 9.5+? -
Description
This article is to describe the steps to be done in order to get active directory (AD) accounts to login to DB2 database.
-
Resolution
1) Stop the instance
db2stop
2) If previously used and installed, disable the DB2 Security plug-in by running the following commands:
db2 update dbm cfg using SRVCON_PW_PLUGIN NULL
db2 update dbm cfg using GROUP_PLUGIN NULL
db2 update dbm cfg using CLNT_PW_PLUGIN NULLTo see if it is installed and configured you can do the following DB commands:
db2 get dbm cfg
db2set
3) Setup the Transparent LDAP behaviour of DB2 by running the following commands:
db2set DB2AUTH=OSAUTHDB
4) PAM Configuration files must be setup correctly for the db2 service
For linux systems, making a copy of the file /etc/pam.d/sshd called /etc/pam.d/db2 might be sufficient.
Other systems should already have OTHER set up properly to handle it.
On version 4.0.3 it was necessary to add try_disauth_first to the db2 PAM configuration. If moving from 4.0.3 to 4.1 this should be removed.
5) Start the instance
db2start
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Transparent LDAP authentication in DB2 allows users to authenticate through the OS ( LAM on AIX, otherwise PAM ), which can then use QAS. The DB2 instructions of setting up LDAP do not need to be followed, as QAS is providing that configuration upon the machine being joined to AD. Enabling Transparent LDAP authentication requires setting the db2set variable DB2AUTH to OSAUTHDB, on non-AIX systems making sure the pam service name ‘db2’ will be handled, and restarting the instance.
Transparent LDAP authentication is supported on AIX starting in Version 9.5 Fix Pack 4 and Version 9.7 GA. Transparent LDAP authentication is supported on Sun, HP and Linux starting in Version 9.5 Fix Pack 5 and Version 9.7 Fix Pack 1.
The only caveat with this configuration is that on AIX any QAS users who have been added to /etc/group as local members cannot be used, they will fail with the error: SQL30060N "USERNAME" does not have the privilege to perform operation "0x2203". SQLSTATE=08004. This is due to how IBM implemented the get groups call in their plugin.
This is fixed this in DB2 9.7 FP6 with Authentication Services 4.1.0.21650 or higher and the following vas.conf configuration set:
[aix_vas]
include-local-group-memberships = true
NOTE--- DB2 Transparent Authentication does not work with the initial release of Authentication Services 4.1.01285 however the issue is fixed in the 4.1 Maintenance release. Please see this article for more details.
https://support.quest.com/kb/SOL115134