LDAP and DB2 – The Complete Guide

by on August 4, 2011

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It is a client server access protocol to access the information directory. This directory can store information like userids, email ids and so on.

In db2 you can set LDAP using 2 methods

• Plugin method

• Transparent LDAP

Two Methods :


LDAP db2

 

PLUGIN METHOD:

What are security plugins?

Authentication in db2 is done using the plugins. By default you get some plugins that you can use or you can develop your own plugin.Default security plugins for LDAP are IBMLDAPauthserver, IBMLDAPauthclient and IBMLDAPgroups

For 32 bit systems you can find these under

• /sqllib/security32/plugin/IBM/client

• /sqllib/security32/plugin/IBM/server

• /sqllib/security32/plugin/IBM/group

For 62 bit systems

• /sqllib/security64/plugin/IBM/client

• /sqllib/security64/plugin/IBM/server

• /sqllib/security64/plugin/IBM/group

db2 LDAP

Authenticating in db2 through LDAP

 

How to setup to use LDAP plugins?

1) Setup INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini

First thing you would do is editing the IBMLDAPSecurity.ini file to add the LDAP related entries.

LDAP_HOST, ENABLE_SSL, USER_OBJECTCLASS, USER_BASEDN are some of the parameters in there. Please refer to the below link for complete list

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/c0050524.html?resultof=%22%49%42%4d%4c%44%41%50%53%65%63%75%72%69%74%79%2e%69%6e%69%22%20

2) Setup dbm config

Run the following three steps:

• Db2 update dbm cfg using CLNT_PW_PLUGIN IBMLDAPauthclient immediate

• Db2 update dbm cfg using GROUP_PLUGIN IBMLDAPgroups immediate

• Db2 update dbm cfg using SRVCON_PW_PLUGIN IBMLDAPauthserver immediate

Once you are done please check the parameters:

db2 get dbm cfg | grep -i ldap

Client Userid-Password Plugin (CLNT_PW_PLUGIN) = IBMLDAPauthclient
Group Plugin (GROUP_PLUGIN) = IBMLDAPgroups
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = IBMLDAPauthserver

 

db2 LDAP

Plugin method

3) Setup DB for SSL

This step is optional depending on your security standards. If you want to use SSL to enhance your security levels go for this

SSL means Secure Sockets Layer and it is used to secure the data transmittal between client and server. SSL uses two types of keys – a public key known to every one and a private key known to the recipient only. So configuring your databases for SSL means securing your data. There are two ways you can set SSL: using the IBMLDAPSecurity.ini or in the newer versions (9.7) you can use the dbm cfg parameters

Using IBMLDAPSecurity.ini:

You need to set the below parameters in IBMLDAPSecurity.ini

ENABLE_SSL = true
SSL_KEYFILE = KEYFILE LOCATION
SSL_PW = password

Using dbm config in Version 9.7:

db2 LDAP

db2 9.7 LDAP setup

For detailed version as to how this configuration can be done in 9.7 refer to the below URL:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.wn.doc/doc/i0054537.html?resultof=%22%53%53%4c%63%6f%6e%66%69%67%2e%69%6e%69%22%20

How is the SSL key and certificate generated?

We use something called GSK to achieve this. IBM Global security Kit comes with db2 and we can use the GSKCapiCmd to achieve this. You might have GSK8 libraries or GSK7 libraries depending on your operating system and db2 version and listed below are the common steps in the setup process

• Create a key database
• Add certificate to the database
• Setup the SSL dbm cfg (9.7) as shown above or configure the security ini file for other versions
• Test the connection

Inorder to perform the above steps you use GSK8capicmd_64 and refer to the two URLs below for complete process:

ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_CapiCmd_UserGuide.pdf

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html

What is certificate authority and how to obtain a certificate?

SSL certificate can be obtained from Verisign, Geotrust and similar certificate authorities. For testing purpose you can use the GSK8capicmd_64 command to obtain a test certificate. There are also some open source certificate providers that you can check (e.g OpenSSL)

http://en.wikipedia.org/wiki/Certificate_authority

http://tech.ivkin.net/wiki/SSL_and_GSKit_How_To

Method 2 : What is transparent LDAP and how do you set it up?

transparent LDAP

Transparent LDAP

Transparent LDAP is pretty straightforward when compared to the plugin process. On db2 side you make sure the following are done:

• db2set DB2AUTH=OSAUTHDB

• Make sure that the authentication is set to SERVER/SERVER_ENCRYPT/DATA_ENCRYPT

• Ensure that you are using default plugins and not plugins customized/developed by you

• Restart db2 instance

Configure OS for transparent LDAP:

For AIX:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0057122.html

For Linux:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0056291.html

For Solaris:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0056293.html

For Hp-UX:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0056292.html

 

How to debug a LDAP issue:(Source – IBM support docs)

Situation

  • Are you using Transparent LDAP or LDAP Security Plug-ins to do authentication?
  • Are you able to authenticate to the LDAP server outside of DB2?
  • Are you able to query the groups within LDAP for the user outside of DB2?
  • Is the performance accessing the LDAP outside of DB2 similar to within DB2?
  • Can the problem be reproduced on demand? If so, can a test case or a sequence of steps can be provided?

Impact

  • Is this a production, development or test environment?
  • What is the business impact of this problem?
  • Are there other repercussions to the problem occurring?

Diagnostics data to collect for Transparent LDAP

  • Run “db2set -all”. If Transparent LDAP is enabled, DB2AUTH=OSAUTHDB should be set
  • Collect the PAM configuration files (/etc/pam.d/db2)
  • Linux: Collect /etc/nsswitch.conf, /var/log/messages
  • AIX: Collect methods.cfg (for lsuser & lsgroups), /etc/security/user, id <user>, groups <user>
  • A db2trc of the behavior:

    Issue the following commands:
    db2trc on -f trace.dmp
    <reproduce the problem>
    db2trc off
    db2trc fmt trace.dmp trace.fmt
    db2trc flw trace.dmp trace.flw
    db2trc fmt trace.dmp trace.fmtc -c

  • A db2support.zip file:

    Issue the following command which will generate a db2support.zip file in the current directory
    db2support . -g -s

Diagnostics data to collect for LDAP security plug-ins

  • Verify if the server, client, and/or group security plug-in values are set in the DBM CFG. Run the command “db2 get dbm cfg” and look for the following variables:

    Client Userid-Password Plugin (CLNT_PW_PLUGIN) = IBMLDAPauthclient
    Group Plugin (GROUP_PLUGIN) = IBMLDAPgroups
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = IBMLDAPauthserver

  • To enable debugging within the LDAP security plug-in, take the following steps:

    1) Edit the IBMLDAPSecurity.ini file and set DEBUG=TRUE and save.
    2) Run the command “db2 update dbm cfg using diaglevel 4″. The additional LDAP debug information will be found in the db2diag.log. The diaglevel can be returned to it’s original value once debugging is complete

  • To enable tracing of the Tivoli LDAP client library, run the following commands:

    export LDAP_DEBUG=65535
    export LDAP_DEBUG_FILE=<filename>
    db2set DB2ENVLIST=”LDAP_DEBUG LDAP_DEBUG_FILE”

 

{ 1 comment… read it below or add one }

how much house can i afford September 13, 2011 at 4:24 am

i love your blog, i have it in my rss reader and always like new things coming up from it.

Reply

Leave a Comment

Previous post:

Next post: