Results 1 to 9 of 9
  1. #1
    Join Date
    Jul 2011
    Posts
    4

    Unanswered: transparent ldap config?

    I'm running db2 on AIX. I have the system connected to ldap and I'd like to have my users use the db. It seems fairly simple to get transparent ldap running per IBM https://www-304.ibm.com/support/docv...id=swg21066328. It only mentions setting DB2AUTH=OSAUTHDB.
    I've restarted the instance but is there more to it than just this? Perhaps someone else has been using transparent ldap and can give me a few suggestions?

    DB21085I Instance "db2inst1" uses "64" bits and DB2 code release "SQL09018"
    with level identifier "02090107".
    Informational tokens are "DB2 v9.1.0.8", "special_22916", "U823514_22916", and
    Fix Pack "8".
    Product is installed at "/opt/IBM/db2/V9.1".

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Did you configure the operating system to authenticate via LDAP?

  3. #3
    Join Date
    Jul 2011
    Posts
    4
    Indeed.

    # chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files"
    # chsec -f /etc/security/user -s default -a "registry=LDAP"

    Also tried the KRB5ALDAP methods. My user is able to login via ssh and getting a kerberos ticket.

  4. #4
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    If so,
    - what error do you get when you try to connect to a DB2 database?
    - what shows up in db2diag.log?
    - what shows up in your LDAP server log at that time?

  5. #5
    Join Date
    Jul 2011
    Posts
    4
    verbose error is:
    [ssouser@machine:/]$ db2 connect to my_db
    SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
    PASSWORD INVALID"). SQLSTATE=08001

    db2diag.log:
    2011-07-25-16.37.26.952158-240 I50302911A272 LEVEL: Warning
    PID : 1683468 TID : 1
    FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
    DATA #1 : String, 66 bytes
    Password validation for user ssouser failed with rc = -2146500502
    2011-07-25-16.37.26.952292-240 I50303184A1113 LEVEL: Info (OS)
    PID : 852138 TID : 1 PROC : db2bp
    INSTANCE: db2inst1 NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqloSSemP, probe:3
    MESSAGE : ZRC=0x83000024=-2097151964
    CALLED : OS, -, semop
    OSERR : EIDRM (36) "An identifier does not exist."
    DATA #1 : unsigned integer, 4 bytes
    719323145
    DATA #2 : unsigned integer, 4 bytes
    1
    CALLSTCK:
    [0] 0x0900000000F4D1DC sqlccipcrecv__FP15sqlcc_comhandleP10sqlcc_cond + 0x70
    [1] 0xFFFFFFFFFFFFFFFC ?unknown + 0xFFFFFFFF
    [2] 0x0900000000F55B1C .sqlccrecv_fdprpro_clone_153 + 0x164
    [3] 0x0900000000F5589C sqljcReceive__FP10sqljCmnMgr + 0xD0
    [4] 0x0900000000F42458 sqljrDrdaArAuthenticate__FP14db2UCinterfacelPUi + 0x38C
    [5] 0x0900000000F2A918 sqlexAppAuthenticate__FP14db2UCinterface + 0x10C
    [6] 0x0900000000F2B330 sqljrDrdaArConnect__FP14db2UCinterface + 0xC8
    [7] 0x0900000000F2B1A8 sqleUCdrdaARinit__FP11UCconHandle + 0xDC
    [8] 0x0900000000F478C0 sqleUCappConnect + 0x908
    [9] 0x0900000000F4A950 sqlakConnect__FPP9sqlak_rcbPP15sql_static_dataUs + 0x520

    2011-07-25-16.37.26.952693-240 I50304298A684 LEVEL: Info
    PID : 852138 TID : 1 PROC : db2bp
    INSTANCE: db2inst1 NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqlofica, probe:10
    DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
    sqlcaid : SQLCA sqlcabc: 136 sqlcode: -30082 sqlerrml: 36
    sqlerrmc: 24 USERNAME AND/OR PASSWORD INVALID
    sqlerrp : SQLEXSMC
    sqlerrd : (1) 0x80370125 (2) 0x00000125 (3) 0x00000000
    (4) 0x00000000 (5) 0x00000000 (6) 0x00000000
    sqlwarn : (1) (2) (3) (4) (5) (6)
    (7) (8) (9) (10) (11)
    sqlstate: 08001

    this is a client machine connecting to the ldap structure.

  6. #6
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    What happens if you explicitly specify the user name and password?

    "db2 connect to my_db user ssouser using yourpassword"

    Can you look at the LDAP server trace?

  7. #7
    Join Date
    Jul 2011
    Posts
    4
    I suppose I could have a look at Active Directory. Not sure where it logs ldap reqs though.

    FWIW, I do receive a different error or restart of the db in diaglog, most notably a successful auth from the ldap plugin: "/home/db2inst1/sqllib/security64/plugin/IBM/client/IBMOSauthclient.a":

    2011-07-25-17.29.51.607075-240 E50592534A462 LEVEL: Info (OS)
    PID : 2203884 TID : 1 PROC : db2
    INSTANCE: db2inst1 NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqloOpenMLNQue, probe:4
    MESSAGE : ZRC=0x870F0042=-2029060030=SQLO_QUE_NOT_EXIST "Queue does not exist"
    DIA8558C A message queue did not exist.
    CALLED : OS, -, open
    OSERR : ENOENT (2) "A file or directory in the path name does not exist."

    2011-07-25-17.29.51.609662-240 E50592997A462 LEVEL: Info (OS)
    PID : 2203884 TID : 1 PROC : db2
    INSTANCE: db2inst1 NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqloOpenMLNQue, probe:4
    MESSAGE : ZRC=0x870F0042=-2029060030=SQLO_QUE_NOT_EXIST "Queue does not exist"
    DIA8558C A message queue did not exist.
    CALLED : OS, -, open
    OSERR : ENOENT (2) "A file or directory in the path name does not exist."

    2011-07-25-17.29.52.613463-240 I50593460A303 LEVEL: Info
    PID : 970836 TID : 1
    FUNCTION: DB2 Common, Security, Users and Groups, secLoadClientAuthPlugin, probe:10
    DATA #1 : String, 90 bytes
    Loaded plugin library /home/db2inst1/sqllib/security64/plugin/IBM/client/IBMOSauthclient.a

    2011-07-25-17.29.52.613515-240 I50593764A240 LEVEL: Info
    PID : 970836 TID : 1
    FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
    DATA #1 : String, 37 bytes
    db2secClientAuthPluginInit successful

    2011-07-25-17.29.52.614307-240 I50594005A684 LEVEL: Info
    PID : 970836 TID : 1 PROC : db2bp
    INSTANCE: db2inst1 NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqlofica, probe:10
    DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
    sqlcaid : SQLCA sqlcabc: 136 sqlcode: -30082 sqlerrml: 36
    sqlerrmc: 24 USERNAME AND/OR PASSWORD INVALID
    sqlerrp : SQLEXPLG
    sqlerrd : (1) 0x805C0125 (2) 0x00000125 (3) 0x00000000
    (4) 0x00000000 (5) 0x00000000 (6) 0x00000000
    sqlwarn : (1) (2) (3) (4) (5) (6)
    (7) (8) (9) (10) (11)
    sqlstate: 08001

  8. #8
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Is your instance owner login ID defined in LDAP or locally? I assume the latter, and, having failed to authenticate it against LDAP, DB2 falls back to local authentication.

    AD being a Windows beast, I'm assuming it logs everything to Event Viewer. I have no idea how to enable trace, but I'm sure you can find that on MSDN.

  9. #9
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    @jreed, did you manage to find a solution to this problem ?

    Pl share.

    Thanks
    Sathyaram
    Visit the new-look IDUG Website , register to gain access to the excellent content.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •