Administration Guide

Configuring DB2 in the IBM LDAP Environment

Before you can use DB2 in the IBM LDAP environment, you must configure the following on each machine:

Enable the LDAP support. For Windows 2000, the LDAP support is enabled by the installation program. For Windows 95/98/NT, you must explicitly enable LDAP by setting the DB2_ENABLE_LDAP registry variable to "YES" using the db2set command.
The LDAP server's TCP/IP host name and port number. These values can be entered during unattended installation using the DB2LDAPHOST response keyword, or you can manually set them later by using the DB2SET command:
```
   db2set DB2LDAPHOST=<hostname[:port]>
```
where hostname is the LDAP server's TCP/IP hostname, and [:port] is the port number. If a port number is not specified, DB2 will use the default LDAP port (389).
DB2 objects are located in the LDAP base distinguished name (baseDN). If you are using IBM SecureWay LDAP directory server Version 3.1, you do not have to configure the base distinguished name since DB2 can dynamically obtain this information from the server. However, if you are using IBM eNetwork Directory Server Version 2.1, you must configure the LDAP base distinguished name on each machine by using the DB2SET command:
```
   db2set DB2LDAP_BASEDN=<baseDN>
```
where baseDB is the name of the LDAP suffix that is defined at the LDAP server. This LDAP suffix is used to contain DB2 objects.
The LDAP user's distinguished name (DN) and password. These are required only if you plan to use LDAP to store DB2 user-specific information.

Creating an LDAP User

DB2 supports setting DB2 registry variables and CLI configuration at the user level. (This is not available on the AIX and Solaris platforms.) User level support provides user-specific settings in a multi-user environment. An example is Windows NT Terminal Server where each logon user can customize his or her own environment without interfering with the system environment or another user's environment.

When using the IBM LDAP directory, you must define an LDAP user before you can store user-level information in LDAP. You can create an LDAP user in one of the following ways:

Create an LDIF file to contain all attributes for the user object, then run the LDIF import utility to import the object into the LDAP directory. The LDIF utility for the IBM LDAP server is "LDIF2DB".
Use the Directory Management Tool (DMT), available only for the IBM SecureWay LDAP Directory Server Version 3.1, to create the user object.

A LDIF file containing the attributes for a person object appears similar to the following:

   File name: newuser.ldif
 
	dn: cn=Mary Burnnet, ou=DB2 UDB Development, ou=Toronto, o=ibm, c=ca
	objectclass: ePerson
	cn: Mary Burnnet
	sn: Burnnet
	uid: mburnnet
	userPassword: password
	telephonenumber: 1-416-123-4567
	facsimiletelephonenumber: 1-416-123-4568
	title: Software Developer

Following is an example of the LDIF command to import an LDIF file using the IBM LDIF import utility:

   LDIF2DB -i newuser.ldif

Notes:

You must run the LDIF2DB command from the LDAP server machine.
You must grant the required access (ACL) to the LDAP user object so that the LDAP user can add, delete, read, and write to his own object. To grant ACL for the user object, use the LDAP Directory Server Web Administration tool.

Configuring the LDAP User for DB2 Applications

When working with the IBM LDAP client and before running DB2, you must configure the LDAP user distinguished name (DN) and password for the current logon user. This can be done using the db2ldcfg utility:

   db2ldcfg -u <userDN> -w <password> --> set the user's DN and password
            -r                        --> clear the user's DN and password

For example:

   db2ldcfg -u "cn=Mary Burnnet,ou=DB2 UDB Development,ou=Toronto,o=ibm,c=ca"
            -w password

[ Top of Page | Previous Page | Next Page ]