Здравствуйте!

Для того, чтобы DB2 брала пользователей из домена, а не из локальных групп,
скачал LDAP плагин.

Плагин ставил в соответствии с докой:

1. забросил файлы в требуемые каталоги:
.../sqllib/security32/plugin/server
.../sqllib/security32/plugin/client
.../sqllib/security32/plugin/group

2. в DB2 command line processor ввел след. комманды
UPDATE DBM CFG USING SRVCON_PW_PLUGIN IBMLDAPauthserver
UPDATE DBM CFG USING CLNT_PW_PLUGIN IBMLDAPauthclient
UPDATE DBM CFG USING GROUP_PLUGIN IBMLDAPgroups

После установки плагина db2 вообще отказывается запускаться:
>db2start
SQL1366N A security plug-in "IBMLDAPauthclient" processing error occurred on the client. Reason code ="7".

Note:

Подскажите, пожалуйста как можно исправить сложившуюся ситуацию ?
Если не исправить ошибку, то хотя бы как откатить данные изменения, чтобы вернуть db2 в рабочее состояние ?
Заранее, спасибо!

Уважаемый, тлгдшлщм !

Пытаюсь установить переменную окружения как Вы сказали:

db2set DB2LIBPATH="/home/db2inst1/sqllib/security32/plugin"

Выдает ошибку:
SQL1092N "IBMLDAPauthclient" does not have the authority to perform the requested command.

Note: Как выяснилось он на любое действие db2set пишет данную ошибку.

Подскажите, пожалуйста, как исправить ошибку?

Уважаемый, ggv !
Спасибо, что отозвались!

IBMLDAPSecurity.ini кинуть в sqllib/cfg не забыли, а вот по поводу его правильной настройки не уверены.

в db2diag.log пишутся следующие сообщения:


Скажите это все из-за Вами упомянутых пользователей? или мы действительно, что-то не так настроили?

Note: Из настроек IBMLDAPSecurity.ini поменяли лишь LDAP server (занесли туда IP адрес контроллера домена) .

Заранее спасибо!

Содержимое ini :


;----------------------------------------------------------------------
; Licensed Materials - Property of IBM
;
; Governed under the terms of the International
; License Agreement for Non-Warranted Sample Code.
;
; (C) COPYRIGHT International Business Machines Corp. 2006
; All Rights Reserved.
;
; US Government Users Restricted Rights - Use, duplication or
; disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
;----------------------------------------------------------------------
;
; Sample configuration file for the IBM DB2 LDAP Security Plugin
;
; The default name and location for this file is
; UNIX: INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
; Windows: %DB2PATH%\cfg\IBMLDAPSecurity.ini
; Optionally, the location of this file can be specified via the
; DB2LDAPSecurityConfig environment variable.
; On Windows systems, this variable should be set in the global
; system environment to ensure it is picked up by the DB2 service.
;
; A semicolon anywhere on a line begins a comment.
;----------------------------------------------------------------------


;----------------------------------------------------------------------
; SERVER RELATED VALUES
;----------------------------------------------------------------------

; LDAP_HOST
; Name of your LDAP server(s).
; This is a space separated list of LDAP server hostnames or IP
; addresses, with an option port number for each one:
; host1[:port] [host2:[port2] ... ]
; The default port number is 389, or 636 if SSL is enabled.
LDAP_HOST = 192.168.4.1

; ENABLE_SSL
; To enable SSL support, you must have the GSKit toolkit installed.
; Optional; defaults to false (no SSL).
;ENABLE_SSL = true

; SSL_KEYFILE and SSL_PW
; SSL keyring and keyring password
; A keyfile is only required if your LDAP server is using a
; certificate that isn't automatically trusted by your GSkit install.
;SSL_KEYFILE = /home/db2inst1/IBMLDAPSecurity.kdb
;SSL_PW = keyfile-password


;----------------------------------------------------------------------
; USER RELATED VALUES
;----------------------------------------------------------------------

; USER_OBJECTCLASS
; LDAP object class used for users
; Generally "inetOrgPerson" ("user" for MSAD)
USER_OBJECTCLASS = inetOrgPerson

; USER_BASEDN
; LDAP base DN to use when searching for users.
; This is optional. If not specified, user searches will
; start at the root of the LDAP directory. Some LDAP servers
; require that you specify a value for this parameter.
;USER_BASEDN = o=ibm

; USERID_ATTRIBUTE
; LDAP user attribute that represents the "userid"
; This attribute is combined with the USER_OBJECTCLASS and USER_BASEDN
; (if specified) to construct an LDAP search filter when a user issues
; a DB2 CONNECT statement with an unqualified userid.
; For example, using the default values in this configuration file,
; db2 connect to MYDB user bob using bobpass
; results in the following search filter:
; &(objectClass=inetOrgPerson)(uid=bob)
USERID_ATTRIBUTE = uid

; AUTHID_ATTRIBUTE
; LDAP user attribute that represents the DB2 "authorization ID"
; (typically this is the same as the USERID_ATTRIBUTE).
AUTHID_ATTRIBUTE = uid


;----------------------------------------------------------------------
; GROUP RELATED VALUES
;----------------------------------------------------------------------

; GROUP_OBJECTCLASS
; LDAP object class used for groups
; Generally "groupOfNames" or "groupOfUniqueNames" ("group" for MSAD)
GROUP_OBJECTCLASS = groupOfNames

; GROUP_BASEDN
; LDAP base DN to use when searching for groups
; This is optional. If not specified, group searches will
; start at the root of the LDAP directory. Some LDAP servers
; require that you specify a value for this parameter.
;GROUP_BASEDN = o=ibm

; GROUPNAME_ATTRIBUTE
; LDAP group attribute that represents the name of the group
GROUPNAME_ATTRIBUTE = cn

; GROUP_LOOKUP_METHOD
; Determines the method used to find the group memberships for a user.
; Possible values are:
; SEARCH_BY_DN - Search for groups that list the user as a member.
; Membership is indicated by the group attribute defined
; as GROUP_LOOKUP_ATTRIBUTE (typically "member" or
; "uniqueMember").
; USER_ATTRIBUTE - A user's groups are listed as attributes of the user
; object itself. Search for the user attribute defined
; as GROUP_LOOKUP_ATTRIBUTE to get the groups (typically
; "memberOf" for MSAD or "ibm-allGroups" for ITDS).
GROUP_LOOKUP_METHOD = SEARCH_BY_DN
;GROUP_LOOKUP_METHOD = USER_ATTRIBUTE

; GROUP_LOOKUP_ATTRIBUTE
; Name of the attribute used to determine group membership, as described
; above.
GROUP_LOOKUP_ATTRIBUTE = member
;GROUP_LOOKUP_ATTRIBUTE = ibm-allGroups

; NESTED_GROUPS
; If NESTED_GROUPS is true, we recursively search for group memberships by
; attempting to look up the group memberships for every group that we find.
; Cycles (A belongs to B, B belongs to A) are handled correctly.
; This is optional, and default to false.
;NESTED_GROUPS = true


;----------------------------------------------------------------------
; MISCELLANEOUS VALUES
;----------------------------------------------------------------------

; If your LDAP server does not support anonymous access, or if anonymous
; access is not sufficient when searching for users or groups, then you
; can define a DN and password that will be used to perform searches.
; Optional.
;SEARCH_DN = cn=root
;SEARCH_PW = rootpassword


; Dump some extra information to the db2diag.log to aid in debugging
; LDAP related issues. Most of the additional information will be
; logged at DIAGLEVEL 4 (INFO).
; Optional, defaults to false.
;DEBUG = true

Уважаемый, ggv !

Выполнил запрос как Вы сказали:
ldapsearch -x "(&(objectClass=inetOrgPerson)(uid=db2inst1))"

Вывело:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectClass=inetOrgPerson)(uid=db2inst1))
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1

Вроде вернулся один объект, но какая-то ошибочка вдобавок! С чем это может быть связано?

to ggv !

ggv
Если все верно - работает. Ну у меня же работает.
На той же сусятине.
Вы говорите у Вас работает.
А у Вас, если не секрет, какая рабочая структура?
Что у Вас является сервером LDAP?