Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2003
    Posts
    1,605

    Unanswered: LDAP authentication works on DB2_Windows but not on DB2_Linux

    Hi,
    I have been trying to configure LDAP server with DB2.

    I have set up the following settings on DB2 9.5 Workgroup on Windows XP SP2 and works OK. I have set up the same settings on DB2 9.5 Enterprise on Suse Linux Enterprise Server 10 for System z but getting errors.

    I did the following:
    1. Copied file /opt/ibm/db2/V9.5/cfg/IBMLDAPSecurity.ini into directory:
    /home/db2inst1/sqllib/cfg/

    2. I have changed IBMLDAPSecurity.ini file (see attached file)

    3. I have updated diaglevel to 4 to get more info in db2diag.log file
    db2 update dbm cfg using DIAGLEVEL 4

    4. I have turned on server plug-in:
    db2 UPDATE DBM CFG USING SRVCON_PW_PLUGIN IBMLDAPauthserver

    5. I have turned on groups plug-in:
    db2 UPDATE DBM CFG USING GROUP_PLUGIN IBMLDAPgroups

    6. I executed terminate db2 backgroup processes:
    db2 terminate

    7. I have tried to stop and start db2 instance:
    db2stop force

    The above command returns error:
    SQL1366N A security plug-in "IBMLDAPgroups" processing error occurred on the client. Reason code = "7".

    In db2diag.log file there are two error messages:
    Code:
    2008-04-01-13.14.37.680893+120 I7148A258          LEVEL: Error
    PID     : 26936                TID : 2199124494032
    FUNCTION: DB2 Common, Security, Users and Groups, secLoadGroupPlugin, probe:20
    DATA #1 : String, 37 bytes
    db2secGroupPluginInit failed with -25
    
    2008-04-01-13.14.37.680942+120 I7407A326          LEVEL: Error
    PID     : 26936                TID : 2199124494032
    FUNCTION: DB2 Common, Security, Users and Groups, secLoadGroupPlugin, probe:21
    DATA #1 : String, 104 bytes
    db2ldapReadConfig: error parsing line 1 of config file /db2/home/db2inst1/sqllib/cfg/IBMLDAPSecurity.ini
    Any idea what to do to solve DB2_9.5_ESE_Linux LDAP problem?
    Thanks,
    Grofaty
    Last edited by grofaty; 04-01-08 at 06:26.

  2. #2
    Join Date
    Jan 2003
    Posts
    1,605
    Hi,
    it looks like attachments are not working on forum. Here is IBMLDAPSecurity.ini file content:
    Code:
    ;----------------------------------------------------------------------
    ; Licensed Materials - Property of IBM
    ;
    ; Governed under the terms of the International
    ; License Agreement for Non-Warranted Sample Code.
    ;
    ; (C) COPYRIGHT International Business Machines Corp. 2006
    ; All Rights Reserved.
    ;
    ; US Government Users Restricted Rights - Use, duplication or
    ; disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    ;----------------------------------------------------------------------
    ;
    ; Sample configuration file for the IBM DB2 LDAP Security Plugin
    ;
    ; The default name and location for this file is
    ;   UNIX:    INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
    ;   Windows: %DB2PATH%\cfg\IBMLDAPSecurity.ini
    ; Optionally, the location of this file can be specified via the
    ; DB2LDAPSecurityConfig environment variable.
    ; On Windows systems, this variable should be set in the global
    ; system environment to ensure it is picked up by the DB2 service.
    ;
    ; A semicolon anywhere on a line begins a comment.
    ;
    ; The default values work well for many IBM Tivoli Directory Server
    ; configurations.  Other directory servers may require different
    ; values; please consult your LDAP server administrator.
    ;
    ; Values known to work with many Microsoft Active Directory
    ; installations are mentioned below; search for "MSAD".
    ;
    ; This sample configuration was last updated in August 2007
    ;----------------------------------------------------------------------
    
    
    ;----------------------------------------------------------------------
    ; SERVER RELATED VALUES
    ;----------------------------------------------------------------------
    
    ; LDAP_HOST
    ; Name of your LDAP server(s).
    ; This is a space separated list of LDAP server hostnames or IP
    ; addresses, with an option port number for each one:
    ;    host1[:port] [host2:[port2] ... ]
    ; The default port number is 389, or 636 if SSL is enabled.
    LDAP_HOST = 192.168.5.150:389
    
    ; ENABLE_SSL
    ; To enable SSL support, you must have the GSKit toolkit installed.
    ; Optional; defaults to false (no SSL).
    ;ENABLE_SSL = true
    
    ; SSL_KEYFILE and SSL_PW
    ; SSL keyring and keyring password
    ; A keyfile is only required if your LDAP server is using a
    ; certificate that isn't automatically trusted by your GSkit install.
    ;SSL_KEYFILE = /home/db2inst1/IBMLDAPSecurity.kdb
    ;SSL_PW = keyfile-password
    
    
    ;----------------------------------------------------------------------
    ; USER RELATED VALUES
    ;----------------------------------------------------------------------
    
    ; USER_OBJECTCLASS
    ; LDAP object class used for users
    ; Generally "inetOrgPerson" ("user" for MSAD)
    USER_OBJECTCLASS = inetOrgPerson
    
    ; USER_BASEDN
    ; LDAP base DN to use when searching for users.
    ; This is optional.  If not specified, user searches will
    ; start at the root of the LDAP directory. Some LDAP servers (particularly
    ; MSAD) may require that you specify a value for this parameter.
    USER_BASEDN = cn=users,dc=mycompany,dc=com
    
    ; USERID_ATTRIBUTE
    ; LDAP user attribute that represents the "userid"
    ; This attribute is combined with the USER_OBJECTCLASS and USER_BASEDN
    ; (if specified) to construct an LDAP search filter when a user issues
    ; a DB2 CONNECT statement with an unqualified userid.
    ; For example, using the default values in this configuration file,
    ;    db2 connect to MYDB user bob using bobpass
    ; results in the following search filter:
    ;    &(objectClass=inetOrgPerson)(uid=bob)
    ; For MSAD, this is frequently "sAMAccountName".
    USERID_ATTRIBUTE = uid
    
    ; AUTHID_ATTRIBUTE
    ; LDAP user attribute that represents the DB2 "authorization ID"
    ; (typically this is the same as the USERID_ATTRIBUTE).
    ; Again, for MSAD this is frequently "sAMAccountName".
    AUTHID_ATTRIBUTE = uid
    
    
    ;----------------------------------------------------------------------
    ; GROUP RELATED VALUES
    ;----------------------------------------------------------------------
    
    ; GROUP_OBJECTCLASS
    ; LDAP object class used for groups
    ; Generally "groupOfNames" or "groupOfUniqueNames" ("group" for MSAD)
    GROUP_OBJECTCLASS = groupOfUniqueNames
    
    ; GROUP_BASEDN
    ; LDAP base DN to use when searching for groups
    ; This is optional.  If not specified, group searches will
    ; start at the root of the LDAP directory. Some LDAP servers (MSAD)
    ; require that you specify a value for this parameter.
    GROUP_BASEDN = cn=groups,dc=mycompany,dc=com
    
    ; GROUPNAME_ATTRIBUTE
    ; LDAP group attribute that represents the name of the group
    GROUPNAME_ATTRIBUTE = cn
    
    ; GROUP_LOOKUP_METHOD
    ; Determines the method used to find the group memberships for a user.
    ; Possible values are:
    ;  SEARCH_BY_DN   - Search for groups that list the user as a member.
    ;                   Membership is indicated by the group attribute defined
    ;                   as GROUP_LOOKUP_ATTRIBUTE (typically "member" or
    ;                   "uniqueMember").
    ;  USER_ATTRIBUTE - A user's groups are listed as attributes of the user
    ;                   object itself.  Search for the user attribute defined
    ;                   as GROUP_LOOKUP_ATTRIBUTE to get the groups (typically
    ;                   "memberOf" for MSAD or "ibm-allGroups" for ITDS).
    ; Many MSAD installation use "GROUP_LOOKUP_METHOD = USER_ATTRIBUTE" and
    ; "GROUP_LOOKUP_ATTRIBUTE = memberOf".
    GROUP_LOOKUP_METHOD = SEARCH_BY_DN
    ;GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
    
    ; GROUP_LOOKUP_ATTRIBUTE
    ; Name of the attribute used to determine group membership, as described
    ; above.
    GROUP_LOOKUP_ATTRIBUTE  = uniqueMember
    ;GROUP_LOOKUP_ATTRIBUTE  = ibm-allGroups
    
    ; NESTED_GROUPS
    ; If NESTED_GROUPS is true, we recursively search for group memberships by
    ; attempting to look up the group memberships for every group that we find.
    ; Cycles (A belongs to B, B belongs to A) are handled correctly.
    ; This is optional, and default to false.
    NESTED_GROUPS = true
    
    
    ;----------------------------------------------------------------------
    ; MISCELLANEOUS VALUES
    ;----------------------------------------------------------------------
    
    ; SEARCH_DN and SEARCH_PW
    ; If your LDAP server does not support anonymous access, or if anonymous
    ; access is not sufficient when searching for users or groups, then you
    ; can define a DN and password that will be used to perform searches.
    ; Optional.
    ;
    ; MSAD does not, by default, allow anonymous search and will require
    ; a SEARCH_DN and SEARCH_PW.
    SEARCH_DN = uid=wpsbind,cn=users,dc=mycompany,dc=com
    SEARCH_PW = mycompany
    
    ; FOLLOW_REFERRALS
    ; Some LDAP servers generate "referrals", which tell the client contact
    ; another LDAP server.  By default, the LDAP plugins will honor referal
    ; requests.  In some cases this behavior is not desirable, and this
    ; may be disable by setting this parameter to false.
    ;
    ; If you notice LDAP error "rc=1 (Operations error)" in the db2diag.log
    ; in a MSAD environment, should you try setting this to false.
    ;
    ; This is optional, and defaults to true.
    ;FOLLOW_REFERRALS = false
    
    ; DEBUG
    ; Dump some extra information to the db2diag.log to aid in debugging
    ; LDAP related issues.  Most of the additional information will be
    ; logged at DIAGLEVEL 4 (INFO).
    ; Optional, defaults to false.
    DEBUG = true

  3. #3
    Join Date
    Jan 2003
    Posts
    1,605
    Hi,
    from documentation:
    db2 ? SQL1366N

    Code:
    7. Security plug-in encountered an unexpected error.
    ...
    7. Check the administration notification log file on the client and on
       the server for more information. Fix the problem identified by the
       error message text in the administration notification log.

  4. #4
    Join Date
    Jan 2003
    Posts
    1,605
    Hi,
    I have solved the problem.

    Turning SYSADM group to null with db2inst1 user (which is instance owner user):
    db2 UPDATE DBM CFG USING SYSADM_GROUP NULL

    Then all other settings in my first post.

    I have compared DB2_Linux and DB2_Windows and found out that on DB2_Windows this SYSADM_GROUP settings is set by default to no value, but on DB2_Linux it is set to user group db2iadm1. This is probably because DB2_Windows was installed without "enable operating system security" option (this option is only available on Windows) - I think the last installation window when installing DB2 on Windows.

    P.S. I really hate differences between DB2_Windows and DB2_Linux. It just makes me two to three days to figured out what settings are different by default.

    Regards,
    Grofaty
    Last edited by grofaty; 04-01-08 at 09:11.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •