Hi,
in our environment DB2 v9.7 fixpack 1 on Windows, database is working fine without problems. Windows user-ids are selected as authentication (this is default installation setting).

Now I have configured DB2 to use LDAP-plugin (Apache LDAP in our case). Now I face a problem. When I connect to database using LDAP authentication and executing select on tables I get restriction error, because this new LDAP user has no privilege on database. I also can't grant any privilege to this new DB2/LDAP user, because instance owner user which is defined on operating system level is not defined in LDAP (our LDAP administrator does not allow any 'dummy' users like db2inst1 and alike to be defined on LDAP - every member in LDAP has to have human userid).

I defined SYSADM_GROUP dbm cfg settings to NULL. I tried to specify LDAP group 'cn=mygroup,ou=groups,ou=entries' as SYSADM_GROUP, but got error that comma is not permitted character for group name.

How to define that users in some particular LDAP group are members of SYSADM group? Is there any other way to define user to SYSADM_GROUP to become instance superuser?
Regards

we had a similar problem
we defined db2inst1 in ldap as a user belonging to group
Group memberships
*db2iadm1 (503)
*idsldap (506)
*ddb2admgrp (1194)
*admgroup (1063)
*db2iadm1 (1077)

but finally we had to define db2inst1 in etc/passwd also
and db2iadm1 in /etc/group
now we don't have any problems anymore - we always use ldap groups for granting

Don't really understand. You created a group "Group" or all above groups (db2iadm1, idsldap, ddb2admgrp, admgroup, db2iadm1)?

So defining user and group to operating system, is it?

How do you specify grant command? Like:
db2 grant select on table mytable to group 'cn=my_group,ou=groups,ou=entries'
I don't think this will work or it will?

Is there any document or web page describing the step-by-step instructions?

What you use for the user/group authorization ID depends on how you have configured the LDAP plugin. For example, "GROUPNAME_ATTRIBUTE = cn" says that only CN is used for the group name, while "GROUP_BASEDN = o=ibm" determines the CN resolution.

many docs in infocenter
How to set LDAP groups....

Now I have solved this problem, I defined:
GROUP_BASEDN = ou=groups,ou=entries
GROUPNAME_ATTRIBUTE = cn
db2 UPDATE DBM CFG USING SYSADM_GROUP mygroup


From web page LDAP-based authentication and group lookup support: "When you use the LDAP plugin modules, all users associated with the database must be defined on the LDAP server. This includes both the DB2 instance owner ID as well as the fenced user. These users are typically defined in the operating system, but must also be defined in LDAP."

Like I see now I need to define db2inst1 user to LDAP, otherwise it will be impossible to execute instance like actions like drop database (for databases created with db2inst1 user) and other similar instance like actions.

I see we have two options (using LDAP):
1. create dummy user "db2inst1" to LDAP (I need to convince LDAP administrator, but it is going to be very hard),
2. write our own DB2 authentication program that uses two authentications operating system and LDAP authentication. Example search for LDAP user and if it does not exist in LDAP then search operating system users (in case of db2inst1) - I don't really like this idea, most probably will have some unpredictable problems.

Is there any other suggestion?

I think on Windows any local Administrator account will still have SYSADM authority if the instance configuration parameter SYSADM_GRP is not set. You could try that.

@n_i: I created new user on Windows (and did NOT create it on LDAP) and assign it to Windows Administrator group and executed:
and got error:
===========
SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
PASSWORD INVALID"). SQLSTATE=08001
===========

According to documentation DB2 by default does not support dual authentication (e.g. operating system and LDAP). All the users MUST be specified on LDAP. If someone likes to have dual authentication security plug-in must be developed in-house.

What's the setting for trust_clntauth? You should be able to log in locally without specifying username or password.

Hi,
TRUST_CLNTUTH dbm cfg parameter in our case is set to default value CLIENT. But according to the documentation about TRUST_CLNTUTH parameter: "This parameter specifies whether a trusted client is authenticated at the server or the client when the client provides a userid and password combination for a connection. This parameter (and trust_allclnts) is only active if the authentication parameter is set to CLIENT." But AUTHENTICATION dbm cfg parameter in our company is set to SERVER, so in this case TRUST_CLNTUTH parameter is irrelevant.
Regards