If you are using the DB2 LDAP Plug-in (( See this post for some other experiences and thoughts I have had about the plug-in. )), you may wondering how to research whether your DB2 users have the authority to do their work. You will need to know that (A) they have an LDAP account and (B) they belong to the required LDAP groups to do their job, and not belong to groups that exceed their authority. Here is a quick cheatsheet on using the Unix utility ldapsearch to get this information. These examples assume you have a Unix shell session open and have the authority to run ldapsearch.
First go to your DB2 LDAP configuration file IBMLDAPSecurity.ini which will be in the <instance home directory>/sqllib/cfg directory. Look up the following variables in that text file: LDAP_HOST, USER_BASEDN and GROUP_BASEDN . The lines will look something like this:
LDAP_HOST = 10.235.1.43 10.235.173.67 10.235.173.170 10.235.44.34 10.50.1.43 10.50.50.101 10.50.60.37 10.222.71.55 10.222.68.55 USER_BASEDN = ou=people,dc=mybigcompany,dc=com GROUP_BASEDN = ou=serverGroup,dc=mybigcompany,dc=com
With LDAP_HOST you need to pick one host from the list. Pick an active LDAP server, in this case we will use 10.235.1.43.
Now export these values for ease of use:
export MY_USER_BASEDN="ou=people,dc=mybigcompany,dc=com" export MY_GROUP_BASEDN="ou=serverGroup,dc=mybigcompany,dc=com" export MY_LDAP_HOST="10.235.1.43"
OK now you can run lookups on your users’ LDAP account and group membership. To see all LDAP users:
ldapsearch -b "$MY_USER_BASEDN" -h $MY_LDAP_HOST "cn=*"
If I’m not sure of the exact spelling of my user’s name, but I have part of it, I might use thus ( ‘someguy’ stands for part of your user’s name and is not case sensitive):
ldapsearch -b "$MY_USER_BASEDN" -h $MY_LDAP_HOST "cn=*someguy*"
the output would be something like:
version: 1 dn: uid=fsomeguy,ou=people,dc=mybigcompany,dc=com shadowMin: 8 uidNumber: 10988 gidNumber: 10988 objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: mybigcompanyEmployee uid: jbenner gecos: Funguy Someguy cn: Funguy Someguy sn: Someguy homeDirectory: /home/fsomeguy mail: funguy.someguy@mybigcompany.com givenName: Funguy securityQuestion: what is your father's middle name?:l0Han3ZdQWsMS20BF3C9bf loginShell: /bin/ksh
Now you know the user account exists. To get the groups the user belongs to, you have to work backward from the group name. If you’re not sure, you can get all the LDAP groups with this command:
ldapsearch -b "$MY_GROUP_BASEDN" -h $MY_LDAP_HOST "cn=*"
You can get just the group names as “cn” attributes by piping the output to
grep "cn:"
Once you’ve verified the spelling of a group or groups you have an interest in, you can easily get the list of what users belong to that group. Say the group name is DB2_DBA_PRD_ROLE. The following command:
ldapsearch -b ""$MY_GROUP_BASEDN"" -h $MY_LDAP_HOST "cn=DB2_DBA_PRD_ROLE"
will give you something like:
version: 1 dn: cn=NEAT_DBA_PRD_ROLE,ou=serverGroup,dc=mybigcompany,dc=com cn: DB2_DBA_PRD_ROLE uniqueMember: uid=bgood,ou=people,dc=mybigcompany,dc=com uniqueMember: uid=culater,ou=people,dc=mybigcompany,dc=com uniqueMember: uid=dstruct,ou=people,dc=mybigcompany,dc=com uniqueMember: uid=db2,ou=people,dc=mybigcompany,dc=com uniqueMember: uid=elated,ou=people,dc=mybigcompany,dc=com objectClass: groupOfUniqueNames objectClass: top
Footnotes
