DB2 v8 used LDAP User Id/Password on Connect

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Terry Miller - 16 Feb 2006 17:58 GMT

I have DB2 V8.2 loaded on a Redhat Enterprise Linux version 3 (RHEL 3) box.
RHEL is configured to talk to LDAP for authenticaton besides the local
passwd file. I can verify this by executing an su to a User Id that exists
in LDAP and not in the local /etc/passwd file. Also verified that the
connection to LDAP is working by ssh into the box.

The problem I have is when I try to connect to a local DB2 Database using a
User Id and Password in LDAP, I get the following error:
SQL30082N Attempt to establish connection failed with security reason
"24" ("USERNAME AND/OR PASSWORD INVALID") SQLSTATE=08001

The connection works if I connect to the databas using a local User ID and
Password on the box, but does not work if I use an LDAP User Id and
Password. I know RHEL3 is talking to LDAP because I can su, ssh, etc to
userids that are in LDAP.

How do I configure DB2 to work with User Ids and Passwords in LDAP?
It appears that it is only using the local /etc/passwd file.

I have checked the various /etc/pamd.d files and they appear correct.

Thanks for any help.

Reply to this Message

Larry - 17 Feb 2006 00:36 GMT

> I have DB2 V8.2 loaded on a Redhat Enterprise Linux version 3 (RHEL 3) box.
> RHEL is configured to talk to LDAP for authenticaton besides the local
[quoted text clipped - 18 lines]
>
> Thanks for any help.

In order to get LDAP support in DB2 UDB you must be on at least 8.2 and
you must code a PIM exit. See

http://www-128.ibm.com/developerworks/db2/library/techarticle/dm-0512chong/

Larry Edelstein

Reply to this Message

Terry Miller - 17 Feb 2006 22:15 GMT

>> I have DB2 V8.2 loaded on a Redhat Enterprise Linux version 3 (RHEL 3)
>> box. RHEL is configured to talk to LDAP for authenticaton besides the
[quoted text clipped - 23 lines]
> In order to get LDAP support in DB2 UDB you must be on at least 8.2 and
> you must code a PIM exit. See

http://www-128.ibm.com/developerworks/db2/library/techarticle/dm-0512chong/

> Larry Edelstein

Thanks for the reponse, I have one more question.

I am running DB2 V8.2.3. Even though the underlying operating system is
configured and talking to LDAP, DB2 still requires that I could a plug-in
module to authenticate against LDAP?

I assumed since the OS was configured and talking to LDAP and DB2 uses the
underlying OS for authentication that it would work.

Terry

Reply to this Message

Larry - 18 Feb 2006 04:13 GMT

>>>I have DB2 V8.2 loaded on a Redhat Enterprise Linux version 3 (RHEL 3)
>>>box. RHEL is configured to talk to LDAP for authenticaton besides the
[quoted text clipped - 38 lines]
>
> Terry

Terry, perhaps someone from the lab can comment on this. I could be
wrong, but in the case where the os is using LDAP, DB2 is probably
looking for user/group/pw information in etc/group, etc/passwd. How
would DB2 know to go to an LDAP directory instead ... unless you somehow
"instructed" it to do so by changing it's authentication mechanism ...
and the way one does this is by using the userexit. These are my
assumptions so I'd be interested in someone correcting me if I am wrong.

Larry Edelstein

Reply to this Message

Ian - 21 Feb 2006 17:57 GMT

> I am running DB2 V8.2.3. Even though the underlying operating system is
> configured and talking to LDAP, DB2 still requires that I could a plug-in
> module to authenticate against LDAP?
>
> I assumed since the OS was configured and talking to LDAP and DB2 uses the
> underlying OS for authentication that it would work.

You configured the system to allow LDAP authentication via PAM. Most
of the normal system utilities (e.g., passwd) have all been made
PAM-aware on Linux distributions.

However, DB2 in not PAM-aware out of the box (presumably it uses the
"old" getpwXXX functions), thus you have to use a custom plug-in to
make DB2 use PAM.

FYI, I think that there is an open-source PAM plugin for DB2 available
on the net.

Reply to this Message