Skip to content

How to look up DB2 user authority (LDAP Plug-in)

If you are using the DB2 LDAP Plug-in1, you may wondering how to research whether your DB2 users have the authority to do their work. You will need to know that (A) they have an LDAP account and (B) they belong to the required LDAP groups to do their job, and not belong to groups that exceed their authority. Here is a quick cheatsheet on using the Unix utility ldapsearch to get this information. These examples assume you have a Unix shell session open and have the authority to run ldapsearch.

First go to your DB2 LDAP configuration file IBMLDAPSecurity.ini which will be in the <instance home directory>/sqllib/cfg directory. Look up the following variables in that text file: LDAP_HOST, USER_BASEDN and GROUP_BASEDN . The lines will look something like this:

LDAP_HOST = 10.235.1.43 10.235.173.67 10.235.173.170 10.235.44.34 10.50.1.43 10.50.50.101 10.50.60.37  10.222.71.55 10.222.68.55
USER_BASEDN = ou=people,dc=mybigcompany,dc=com
GROUP_BASEDN = ou=serverGroup,dc=mybigcompany,dc=com

With LDAP_HOST you need to pick one host from the list. Pick an active LDAP server, in this case we will use 10.235.1.43.

Now export these values for ease of use:

export MY_USER_BASEDN="ou=people,dc=mybigcompany,dc=com"
export MY_GROUP_BASEDN="ou=serverGroup,dc=mybigcompany,dc=com"
export MY_LDAP_HOST="10.235.1.43"

OK now you can run lookups on your users’ LDAP account and group membership. To see all LDAP users:

ldapsearch -b "$MY_USER_BASEDN" -h $MY_LDAP_HOST "cn=*"

If I’m not sure of the exact spelling of my user’s name, but I have part of it, I might use thus (  ‘someguy’ stands for part of your user’s name and is not case sensitive):

ldapsearch -b "$MY_USER_BASEDN" -h $MY_LDAP_HOST "cn=*someguy*"

the output would be something like:

version: 1
dn: uid=fsomeguy,ou=people,dc=mybigcompany,dc=com
shadowMin: 8
uidNumber: 10988
gidNumber: 10988
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: mybigcompanyEmployee
uid: jbenner
gecos: Funguy Someguy
cn: Funguy Someguy
sn: Someguy
homeDirectory: /home/fsomeguy
mail: funguy.someguy@mybigcompany.com
givenName: Funguy
securityQuestion: what is your father's middle name?:l0Han3ZdQWsMS20BF3C9bf
loginShell: /bin/ksh

Now you know the user account exists. To get the groups the user belongs to, you have to work backward from the group name. If you’re not sure, you can get all the LDAP groups with this command:

ldapsearch -b "$MY_GROUP_BASEDN" -h $MY_LDAP_HOST "cn=*"

You can get just the group names as “cn” attributes by piping the output to

grep "cn:"

Once you’ve verified the spelling of a group or groups you have an interest in, you can easily get the list of what users belong to that group. Say the group name is DB2_DBA_PRD_ROLE. The following command:

ldapsearch -b ""$MY_GROUP_BASEDN"" -h $MY_LDAP_HOST "cn=DB2_DBA_PRD_ROLE"

will give you something like:

version: 1
dn: cn=NEAT_DBA_PRD_ROLE,ou=serverGroup,dc=mybigcompany,dc=com
cn: DB2_DBA_PRD_ROLE
uniqueMember: uid=bgood,ou=people,dc=mybigcompany,dc=com
uniqueMember: uid=culater,ou=people,dc=mybigcompany,dc=com
uniqueMember: uid=dstruct,ou=people,dc=mybigcompany,dc=com
uniqueMember: uid=db2,ou=people,dc=mybigcompany,dc=com
uniqueMember: uid=elated,ou=people,dc=mybigcompany,dc=com
objectClass: groupOfUniqueNames
objectClass: top

Footnotes

  1. See this post for some other experiences and thoughts I have had about the plug-in. []

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*