I'm running db2 on AIX. I have the system connected to ldap and I'd like to have my users use the db. It seems fairly simple to get transparent ldap running per IBM https://www-304.ibm.com/support/docv...id=swg21066328. It only mentions setting DB2AUTH=OSAUTHDB.
I've restarted the instance but is there more to it than just this? Perhaps someone else has been using transparent ldap and can give me a few suggestions?

DB21085I Instance "db2inst1" uses "64" bits and DB2 code release "SQL09018"
with level identifier "02090107".
Informational tokens are "DB2 v9.1.0.8", "special_22916", "U823514_22916", and
Fix Pack "8".
Product is installed at "/opt/IBM/db2/V9.1".

Did you configure the operating system to authenticate via LDAP?

Indeed.

# chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files"
# chsec -f /etc/security/user -s default -a "registry=LDAP"

Also tried the KRB5ALDAP methods. My user is able to login via ssh and getting a kerberos ticket.

If so,
- what error do you get when you try to connect to a DB2 database?
- what shows up in db2diag.log?
- what shows up in your LDAP server log at that time?

verbose error is:
[ssouser@machine:/]$ db2 connect to my_db
SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
PASSWORD INVALID"). SQLSTATE=08001

db2diag.log:
2011-07-25-16.37.26.952158-240 I50302911A272 LEVEL: Warning
PID : 1683468 TID : 1
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 66 bytes
Password validation for user ssouser failed with rc = -2146500502
2011-07-25-16.37.26.952292-240 I50303184A1113 LEVEL: Info (OS)
PID : 852138 TID : 1 PROC : db2bp
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloSSemP, probe:3
MESSAGE : ZRC=0x83000024=-2097151964
CALLED : OS, -, semop
OSERR : EIDRM (36) "An identifier does not exist."
DATA #1 : unsigned integer, 4 bytes
719323145
DATA #2 : unsigned integer, 4 bytes
1
CALLSTCK:
[0] 0x0900000000F4D1DC sqlccipcrecv__FP15sqlcc_comhandleP10sqlcc_cond + 0x70
[1] 0xFFFFFFFFFFFFFFFC ?unknown + 0xFFFFFFFF
[2] 0x0900000000F55B1C .sqlccrecv_fdprpro_clone_153 + 0x164
[3] 0x0900000000F5589C sqljcReceive__FP10sqljCmnMgr + 0xD0
[4] 0x0900000000F42458 sqljrDrdaArAuthenticate__FP14db2UCinterfacelPUi + 0x38C
[5] 0x0900000000F2A918 sqlexAppAuthenticate__FP14db2UCinterface + 0x10C
[6] 0x0900000000F2B330 sqljrDrdaArConnect__FP14db2UCinterface + 0xC8
[7] 0x0900000000F2B1A8 sqleUCdrdaARinit__FP11UCconHandle + 0xDC
[8] 0x0900000000F478C0 sqleUCappConnect + 0x908
[9] 0x0900000000F4A950 sqlakConnect__FPP9sqlak_rcbPP15sql_static_dataUs + 0x520

2011-07-25-16.37.26.952693-240 I50304298A684 LEVEL: Info
PID : 852138 TID : 1 PROC : db2bp
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqlofica, probe:10
DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
sqlcaid : SQLCA sqlcabc: 136 sqlcode: -30082 sqlerrml: 36
sqlerrmc: 24 USERNAME AND/OR PASSWORD INVALID
sqlerrp : SQLEXSMC
sqlerrd : (1) 0x80370125 (2) 0x00000125 (3) 0x00000000
(4) 0x00000000 (5) 0x00000000 (6) 0x00000000
sqlwarn : (1) (2) (3) (4) (5) (6)
(7) (8) (9) (10) (11)
sqlstate: 08001

this is a client machine connecting to the ldap structure.

What happens if you explicitly specify the user name and password?

"db2 connect to my_db user ssouser using yourpassword"

Can you look at the LDAP server trace?

I suppose I could have a look at Active Directory. Not sure where it logs ldap reqs though.

FWIW, I do receive a different error or restart of the db in diaglog, most notably a successful auth from the ldap plugin: "/home/db2inst1/sqllib/security64/plugin/IBM/client/IBMOSauthclient.a":

2011-07-25-17.29.51.607075-240 E50592534A462 LEVEL: Info (OS)
PID : 2203884 TID : 1 PROC : db2
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloOpenMLNQue, probe:4
MESSAGE : ZRC=0x870F0042=-2029060030=SQLO_QUE_NOT_EXIST "Queue does not exist"
DIA8558C A message queue did not exist.
CALLED : OS, -, open
OSERR : ENOENT (2) "A file or directory in the path name does not exist."

2011-07-25-17.29.51.609662-240 E50592997A462 LEVEL: Info (OS)
PID : 2203884 TID : 1 PROC : db2
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloOpenMLNQue, probe:4
MESSAGE : ZRC=0x870F0042=-2029060030=SQLO_QUE_NOT_EXIST "Queue does not exist"
DIA8558C A message queue did not exist.
CALLED : OS, -, open
OSERR : ENOENT (2) "A file or directory in the path name does not exist."

2011-07-25-17.29.52.613463-240 I50593460A303 LEVEL: Info
PID : 970836 TID : 1
FUNCTION: DB2 Common, Security, Users and Groups, secLoadClientAuthPlugin, probe:10
DATA #1 : String, 90 bytes
Loaded plugin library /home/db2inst1/sqllib/security64/plugin/IBM/client/IBMOSauthclient.a

2011-07-25-17.29.52.613515-240 I50593764A240 LEVEL: Info
PID : 970836 TID : 1
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 37 bytes
db2secClientAuthPluginInit successful

2011-07-25-17.29.52.614307-240 I50594005A684 LEVEL: Info
PID : 970836 TID : 1 PROC : db2bp
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqlofica, probe:10
DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
sqlcaid : SQLCA sqlcabc: 136 sqlcode: -30082 sqlerrml: 36
sqlerrmc: 24 USERNAME AND/OR PASSWORD INVALID
sqlerrp : SQLEXPLG
sqlerrd : (1) 0x805C0125 (2) 0x00000125 (3) 0x00000000
(4) 0x00000000 (5) 0x00000000 (6) 0x00000000
sqlwarn : (1) (2) (3) (4) (5) (6)
(7) (8) (9) (10) (11)
sqlstate: 08001

Is your instance owner login ID defined in LDAP or locally? I assume the latter, and, having failed to authenticate it against LDAP, DB2 falls back to local authentication.

AD being a Windows beast, I'm assuming it logs everything to Event Viewer. I have no idea how to enable trace, but I'm sure you can find that on MSDN.

@jreed, did you manage to find a solution to this problem ?

Pl share.

Thanks
Sathyaram