Results 1 to 10 of 10
  1. #1
    Join Date
    Jan 2003
    Posts
    1,605

    Unanswered: DB2 LDAP-plugin authorization: How to set LDAP group as SYSADM_GROUP?

    Hi,
    in our environment DB2 v9.7 fixpack 1 on Windows, database is working fine without problems. Windows user-ids are selected as authentication (this is default installation setting).

    Now I have configured DB2 to use LDAP-plugin (Apache LDAP in our case). Now I face a problem. When I connect to database using LDAP authentication and executing select on tables I get restriction error, because this new LDAP user has no privilege on database. I also can't grant any privilege to this new DB2/LDAP user, because instance owner user which is defined on operating system level is not defined in LDAP (our LDAP administrator does not allow any 'dummy' users like db2inst1 and alike to be defined on LDAP - every member in LDAP has to have human userid).

    I defined SYSADM_GROUP dbm cfg settings to NULL. I tried to specify LDAP group 'cn=mygroup,ou=groups,ou=entries' as SYSADM_GROUP, but got error that comma is not permitted character for group name.

    How to define that users in some particular LDAP group are members of SYSADM group? Is there any other way to define user to SYSADM_GROUP to become instance superuser?
    Regards
    Last edited by grofaty; 11-28-11 at 10:00.

  2. #2
    Join Date
    Apr 2006
    Location
    Belgium
    Posts
    2,514
    Provided Answers: 11
    we had a similar problem
    we defined db2inst1 in ldap as a user belonging to group
    Group memberships
    *db2iadm1 (503)
    *idsldap (506)
    *ddb2admgrp (1194)
    *admgroup (1063)
    *db2iadm1 (1077)

    but finally we had to define db2inst1 in etc/passwd also
    and db2iadm1 in /etc/group
    now we don't have any problems anymore - we always use ldap groups for granting
    Best Regards, Guy Przytula
    Database Software Consultant
    Good DBAs are not formed in a week or a month. They are created little by little, day by day. Protracted and patient effort is needed to develop good DBAs.
    Spoon feeding : To treat (another) in a way that discourages independent thought or action, as by overindulgence.
    DB2 UDB LUW Certified V7-V8-V9-V9.7-V10.1-V10.5 DB Admin - Advanced DBA -Dprop..
    Information Server Datastage Certified
    http://www.infocura.be

  3. #3
    Join Date
    Jan 2003
    Posts
    1,605
    Quote Originally Posted by przytula_guy View Post
    we defined db2inst1 in ldap as a user belonging to group
    Group memberships
    *db2iadm1 (503)
    *idsldap (506)
    *ddb2admgrp (1194)
    *admgroup (1063)
    *db2iadm1 (1077)
    Don't really understand. You created a group "Group" or all above groups (db2iadm1, idsldap, ddb2admgrp, admgroup, db2iadm1)?

    Quote Originally Posted by przytula_guy View Post
    but finally we had to define db2inst1 in etc/passwd also
    and db2iadm1 in /etc/group
    So defining user and group to operating system, is it?

    Quote Originally Posted by przytula_guy View Post
    now we don't have any problems anymore - we always use ldap groups for granting
    How do you specify grant command? Like:
    db2 grant select on table mytable to group 'cn=my_group,ou=groups,ou=entries'
    I don't think this will work or it will?

    Is there any document or web page describing the step-by-step instructions?

  4. #4
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    What you use for the user/group authorization ID depends on how you have configured the LDAP plugin. For example, "GROUPNAME_ATTRIBUTE = cn" says that only CN is used for the group name, while "GROUP_BASEDN = o=ibm" determines the CN resolution.

  5. #5
    Join Date
    Apr 2006
    Location
    Belgium
    Posts
    2,514
    Provided Answers: 11
    many docs in infocenter
    How to set LDAP groups....
    Best Regards, Guy Przytula
    Database Software Consultant
    Good DBAs are not formed in a week or a month. They are created little by little, day by day. Protracted and patient effort is needed to develop good DBAs.
    Spoon feeding : To treat (another) in a way that discourages independent thought or action, as by overindulgence.
    DB2 UDB LUW Certified V7-V8-V9-V9.7-V10.1-V10.5 DB Admin - Advanced DBA -Dprop..
    Information Server Datastage Certified
    http://www.infocura.be

  6. #6
    Join Date
    Jan 2003
    Posts
    1,605
    Quote Originally Posted by grofaty View Post
    I defined SYSADM_GROUP dbm cfg settings to NULL. I tried to specify LDAP group 'cn=mygroup,ou=groups,ou=entries' as SYSADM_GROUP, but got error that comma is not permitted character for group name.

    Quote Originally Posted by n_i View Post
    What you use for the user/group authorization ID depends on how you have configured the LDAP plugin. For example, "GROUPNAME_ATTRIBUTE = cn" says that only CN is used for the group name, while "GROUP_BASEDN = o=ibm" determines the CN resolution.
    Now I have solved this problem, I defined:
    GROUP_BASEDN = ou=groups,ou=entries
    GROUPNAME_ATTRIBUTE = cn
    db2 UPDATE DBM CFG USING SYSADM_GROUP mygroup


    Quote Originally Posted by grofaty View Post
    When I connect to database using LDAP authentication and executing select on tables I get restriction error, because this new LDAP user has no privilege on database. I also can't grant any privilege to this new DB2/LDAP user, because instance owner user which is defined on operating system level is not defined in LDAP (our LDAP administrator does not allow any 'dummy' users like db2inst1 and alike to be defined on LDAP - every member in LDAP has to have human userid).
    From web page LDAP-based authentication and group lookup support: "When you use the LDAP plugin modules, all users associated with the database must be defined on the LDAP server. This includes both the DB2 instance owner ID as well as the fenced user. These users are typically defined in the operating system, but must also be defined in LDAP."

    Like I see now I need to define db2inst1 user to LDAP, otherwise it will be impossible to execute instance like actions like drop database (for databases created with db2inst1 user) and other similar instance like actions.

    I see we have two options (using LDAP):
    1. create dummy user "db2inst1" to LDAP (I need to convince LDAP administrator, but it is going to be very hard),
    2. write our own DB2 authentication program that uses two authentications operating system and LDAP authentication. Example search for LDAP user and if it does not exist in LDAP then search operating system users (in case of db2inst1) - I don't really like this idea, most probably will have some unpredictable problems.

    Is there any other suggestion?
    Last edited by grofaty; 11-29-11 at 10:15.

  7. #7
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    I think on Windows any local Administrator account will still have SYSADM authority if the instance configuration parameter SYSADM_GRP is not set. You could try that.

  8. #8
    Join Date
    Jan 2003
    Posts
    1,605
    @n_i: I created new user on Windows (and did NOT create it on LDAP) and assign it to Windows Administrator group and executed:
    Code:
    db2 update dbm cfg using sysadm_group NULL
    db2 terminate
    db2stop force
    db2 start
    db2 connect to my_database user new_user using password
    and got error:
    ===========
    SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
    PASSWORD INVALID"). SQLSTATE=08001
    ===========

    According to documentation DB2 by default does not support dual authentication (e.g. operating system and LDAP). All the users MUST be specified on LDAP. If someone likes to have dual authentication security plug-in must be developed in-house.
    Last edited by grofaty; 12-02-11 at 02:41.

  9. #9
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    What's the setting for trust_clntauth? You should be able to log in locally without specifying username or password.

  10. #10
    Join Date
    Jan 2003
    Posts
    1,605
    Hi,
    TRUST_CLNTUTH dbm cfg parameter in our case is set to default value CLIENT. But according to the documentation about TRUST_CLNTUTH parameter: "This parameter specifies whether a trusted client is authenticated at the server or the client when the client provides a userid and password combination for a connection. This parameter (and trust_allclnts) is only active if the authentication parameter is set to CLIENT." But AUTHENTICATION dbm cfg parameter in our company is set to SERVER, so in this case TRUST_CLNTUTH parameter is irrelevant.
    Regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •