Administration Guide

Security Considerations

Before accessing information in the LDAP directory, an application or user is authenticated by the LDAP server. The authentication process is called binding to the LDAP server.

It is important to apply access control on the information stored in the LDAP directory to prevent anonymous users from adding, deleting, or modifying the information.

Access control is inherited by default and can be applied at the container level. When a new object is created, it inherits the same security attribute as the parent object. An administration tool available for the LDAP server can be used to define access control for the container object.

By default, access control is defined as follows:

• For database and node entries in LDAP, everyone (or any anonymous user) has read access. Only the Directory Administrator and the owner or creator of the object has read/write access.
• For user profiles, the profile owner and the Directory Administrator have read/write access. One user cannot access the profile of another user if that user does not have Directory Administrator authority.

When running the LDAP commands or APIs, if the bind Distinguished Name (bindDN) and password are not specified, DB2 binds to the LDAP server using the default credentials which may not have sufficient authority to perform the requested commands and an error will be returned.

You can explicitly specify the user's bindDN and password using the USER and PASSWORD clauses for the DB2 commands or APIs. Refer to the Command Reference for more information on DB2 commands; and to the Administrative API Reference for more information on DB2 APIs.

Security Considerations for Windows 2000 Active Directory

The DB2 database and node objects are created under the computer object of the machine where the DB2 server is installed in the Active Directory. To register a database server or catalog a database in the Active Directory, you need to have sufficient access to create and/or update the objects under the computer object.

By default, objects under the computer object are readable by any authenticated users and updateable by administrators (users that belong to the Administrators, Domain Administrators, and Enterprise Administrators groups). To grant access for a specific user or a group, use the Active Directory Users and Computer Management Console (MMC) as follows:

1. Start the Active Directory Users and Computer administration tool

   (Start--> Program--> Administration Tools--> Active Directory Users and Computer)

2. Under View, select Advanced Features
3. Select the Computers container
4. Right click on the computer object that represents the server machine where DB2 is installed and select Properties
5. Select the Security tab, then add the required access to the specified user or group

The DB2 registry variables and CLI settings at the user level are maintained in the DB2 property object under the user object. To set the DB2 registry variables or CLI settings at the user level, a user needs to have sufficient access to create objects under the User object.

By default, only administrators have access to create objects under the User object. To grant access to a user to set the DB2 registry variables or CLI settings at the user level, use the Active Directory Users and Computer Management Console (MMC) as follows:

1. Start the Active Directory Users and Computer administration tool

   (Start--> Program--> Administration Tools--> Active Directory Users and Computer)

2. Select the user object under the Users container
3. Right click on the user object and select Properties
4. Select the Security tab
5. Add "Write" and "Create All Child Objects" access to Self
6. Select the check box "Allow inheritable permissions from parent to propagate to this object"