Db2 简明教程
DB2 - LDAP
Introduction
LDAP 是轻量级目录访问协议。LDAP 是一个基于客户端-服务器模型且在 TCP/IP 栈上层运行的全局目录服务行业标准协议。LDAP 提供了一个连接、访问、修改和搜索 Internet 目录的工具。
LDAP is Lightweight Directory Access Protocol. LDAP is a global directory service, industry-standard protocol, which is based on client-server model and runs on a layer above the TCP/IP stack. The LDAP provides a facility to connect to, access, modify, and search the internet directory.
LDAP 服务器包含信息,这些信息以目录树的形式组织。客户端要求服务器提供信息或针对特定信息执行某些操作。服务器通过提供所需的(如果有的话)信息来应答客户端,或将客户端转给其他服务器处理所需的请求。然后,客户端从其他服务器获取所需信息。
The LDAP servers contain information which is organized in the form of a directory tree. The clients ask server to provide information or to perform some operation on a particular information. The server answers the client by providing required information if it has one, or it refers the client to another server for action on required information. The client then acquires the desired information from another server.
目录的树形结构在所有参与服务器上始终保持相同。这是 LDAP 目录服务的一个显著特性。因此,无论客户端参考的是哪台服务器,客户端始终会以无差错的方式获取所需信息。这里,我们使用 LDAP 对 IBM DB2 进行认证,以替代操作系统认证。
The tree structure of directory is maintained same across all the participating servers. This is a prominent feature of LDAP directory service. Hence, irrespective of which server is referred to by the client, the client always gets required information in an error-free manner. Here, we use LDAP to authenticate IBM DB2 as a replacement of operating system authentication.
LDAP 有两种类型:
There are two types of LDAP:
我们来看看如何配置透明 LDAP。
Let us see how to configure a transparent LDAP.
Configuring transparent LDAP
要开始配置透明 LDAP,您需要配置 LDAP 服务器。
To start with configuration of transparent LDAP, you need to configure the LDAP server.
LDAP server configuration
创建一个 SLAPD.conf 文件,其中包含 LDAP 中所有有关用户和组对象的信息。在安装 LDAP 服务器时,默认情况下,它在机器上配置了基本的 LDAP 目录树。
Create a SLAPD.conf file, which contains all the information about users and group object in the LDAP. When you install LDAP server, by default it is configured with basic LDAP directory tree on your machine.
下表指示修改后的文件配置。
The table shown below indicates the file configuration after modification.
以黄色突出显示代码框中的文本表示以下内容:
The text highlighted with yellow the code box means for the following:
DBA 用户 ID = “db2my1”,组 = “db1my1adm”,密码 = “db2my1” 管理员用户 ID = “my1adm”,组 = “dbmy1ctl”。
DBA user-id = “db2my1”, group = “db1my1adm”, password= “db2my1” Admin user-id = “my1adm”, group = “dbmy1ctl”.
# base dn: example.com
dn: dc=example,dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject
# pc box db
dn: dc=db697,dc=example,dc=com
dc: db697
o: db697
objectClass: organization
objectClass: dcObject
#
# Group: dbadm
#
dn: cn=dbmy1adm,dc=db697,dc=example,dc=com
cn: dbmy1adm
objectClass: top
objectClass: posixGroup
gidNumber: 400
objectClass: groupOfNames
member: uid=db2my1,cn=dbmy1adm,dc=db697,dc=example,dc=com
memberUid: db2my1
#
# User: db2
#
dn: uid=db2my1,cn=dbmy1adm,dc=db697,dc=example,dc=com
cn: db2my1
sn: db2my1
uid: db2my1
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 400
gidNumber: 400
loginShell: /bin/csh
homeDirectory: /db2/db2my1
#
# Group: dbctl
#
dn: cn=dbmy1ctl,dc=db697,dc=example,dc=com
cn: dbmy1ctl
objectClass: top
objectClass: posixGroup
gidNumber: 404
objectClass: groupOfNames
member: uid=my1adm,cn=dbmy1adm,dc=db697,dc=example,dc=com
memberUid: my1adm
#
# User: adm
#
dn: uid=my1adm,cn=dbmy1ctl,dc=db697,dc=example,dc=com
cn: my1adm
sn: my1adm
uid: my1adm
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 404
gidNumber: 404
loginShell: /bin/csh
homeDirectory: /home/my1adm
使用名称“/var/lib/slapd.conf”保存上述文件,然后执行此文件,通过以下命令将这些值添加到 LDAP 服务器中。这是一条 Linux 命令,而不是 db2 命令。
Save the above file with name ‘/var/lib/slapd.conf’, then execute this file by following command to add these values into LDAP Server. This is a linux command; not a db2 command.
ldapadd r- -D ‘cn=Manager,dc=example,dc=com” –W –f
/var/lib/slapd.conf
在 LDAP 服务器上注册 DB2 用户和 DB2 组后,登录到已安装实例和数据库的特定用户。您需要配置 LDAP 客户端,以向客户端确认您的服务器位于何处(远程或本地)。
After registering the DB2 users and the DB2 group at the LDAP Server, logon to the particular user where you have installed instance and database. You need to configure LDAP client to confirm to client where your server is located, be it remote or local.
LDAP client configuration
LDAP 客户端配置保存在文件“ldap.conf”中。有两个文件可用于配置参数,一个通用,另一个特定。您应该在“/etc/ldap.conf”中找到第一个文件,而另一个位于“/etc/openldap/ldap.conf”中。
The LDAP Client configuration is saved in the file ‘ldap.conf’. There are two files available for configuration parameters, one is common and the other is specific. You should find the first one at ‘/etc/ldap.conf’ and the latter is located at ‘/etc/openldap/ldap.conf’.
通用 LDAP 客户端配置文件中提供了以下数据
The following data is available in common LDAP client configuration file
# File: /etc/ldap.conf
# The file contains lots of more entries and many of them
# are comments. You show only the interesting values for now
host localhost
base dc=example,dc=com
ldap_version 3
pam_password crypt
pam_filter objectclass=posixAccount
nss_map_attribute uniqueMember member
nss_base_passwd dc=example,dc=com
nss_base_shadow dc=example,dc=com
nss_base_group dc=example,dc=com
您需要根据 DB2 配置更改服务器和域信息的位置。如果我们在同一个系统中使用服务器,那么在“host”处将其指定为“localhost”,在“base”处,您可以配置 LDAP 服务器的“SLAPD.conf”文件中提到的内容。
You need to change the location of server and domain information according to the DB2 configuration. If we are using server in same system then mention it as ‘localhost’ at ‘host’ and at ‘base’ you can configure which is mentioned in ‘SLAPD.conf’ file for LDAP server.
可插拔认证模型 (PAM) 是用于认证服务的 API。这是一个用于使用加密密码和特定类型为 posixAccount 的 LDAP 对象的 LDAP 认证的公用接口。此类型的所有 LDAP 对象都表示包含可移植操作系统接口 (POSIX) 属性的抽象帐户。
Pluggable Authentication Model (PAM) is an API for authentication services. This is common interface for LDAP authentication with an encrypted password and special LDAP object of type posixAccount. All LDAP objects of this type represent an abstraction of an account with portable Operating System Interface (POSIX) attributes.
网络安全服务 (NSS) 是一组支持跨平台开发支持安全性的客户端和服务器应用程序的库。其中包括 SSL、TLS、PKCS S/MIME 等库以及其他安全标准。
Network Security Services (NSS) is a set of libraries to support cross-platform development of security-enabled client and server applications. This includes libraries like SSL, TLS, PKCS S/MIME and other security standards.
您需要为此接口和两个其他映射属性指定基准 DN。OpenLDAP 客户端配置文件包含下面给出的条目:
You need to specify the base DN for this interface and two additional mapping attributes. OpenLDAP client configuration file contains the entries given below:
host localhost
base dc=example,dc=com
到此为止,您只需定义 LDAP 服务的主机和基准 DN。
Till this you just define the host of LDAP serve and the base DN.
Validating OpenLDAP environment
在配置 LDAP 服务器和 LDAP 客户端后,请验证两者是否能通信。
After you configured your LDAP Server and LDAP Client, verify both for communication.
Step1 :使用以下命令检查您的本地 LDAP 服务器是否正在运行:
Step1: Check your Local LDAP server is running. Using below command:
ps -ef | grep -i ldap
此命令应列出表示您 LDAP 服务器的 LDAP 程序:
This command should list the LDAP deamon which represents your LDAP server:
/usr/lib/openldap/slapd -h ldap:/// -u ldap -g ldap -o slp=on
这表明您的 LDAP 服务器正在运行并正在等待来自客户端的请求。如果没有上述命令的进程,您可以使用“rcldap”命令启动 LDAP 服务器。
This indicates that you LDAP server is running and is waiting for request from clients. If there is no such process for previous commands you can start LDAP server with the ’rcldap’ command.
rcldap start
当服务器启动后,您可以通过发出以下命令在“/var/log/messages/”文件中对其进行监视。
When the server starts, you can monitor this in the file ‘/var/log/messages/ by issuing the following command.
tail –f /var/log/messages
Testing connection to LDAP server with ldapsearch
ldapsearch 命令打开与 LDAP 服务器的连接,绑定到它,并执行一个搜索查询,可以使用特殊参数“x”指定此搜索查询,通过使用 -x 参数而不是更加复杂的安全认证层(SASL)之类的机制来连接到您的 LDAP 服务器,以进行简单身份验证。
The ldapsearch command opens a connection to an LDAP server, binds to it and performs a search query which can be specified by using special parameters ‘-x’ connect to your LDAP server with a simple authentication mechanism by using the –x parameter instead of a more complex mechanism like Simple Authentication and Security Layer (SASL)
ldapsearch –x
LDAP 服务器应发送下面显示的响应,包含所有以 LDAP 数据交换格式(LDIF)存储的 LDAP 条目。
LDAP server should reply with a response given below, containing all of your LDAP entries in a LDAP Data Interchange Format(LDIF).
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# example.com
dn: dc=example,
dc=com dc: example
o: example
objectClass: organization
objectClass: dcObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Configuring DB2
在处理 LDAP 服务器和客户端后,您需要配置 DB2 数据库以用于 LDAP。让我们讨论如何安装和配置数据库,以便在 DB2 用户身份验证过程中使用 LDAP 环境。
After working with LDAP server and client, you need to configure our DB2 database for use with LDAP. Let us discuss, how you can install and configure your database to use our LDAP environment for the DB2 user authentication process.
Configuring DB2 and LDAP interaction plug-ins
IBM 提供了一个带有 DB2 LDAP 插件的免费软件包。DB2 软件包包括三个 DB2 安全插件,各针对以下一项:
IBM provides a free package with LDAP plug-ins for DB2. The DB2 package includes three DB2 security plug-ins for each of the following:
-
server side authentication
-
client side authentication
-
group lookup
根据您的需求,您可以使用上述三个插件中的任何一个或全部。该插件不支持某些用户在 LDAP 中定义,而其他用户在操作系统中定义的环境。如果您决定使用 LDAP 插件,则需要在 LDAP 服务器中定义与数据库关联的所有用户。该原则也适用于该组插件。
Depending upon your requirements, you can use any of the three plug-ins or all of them. This plugin do not support environments where some users are defined in LDAP and others in the operating Systems. If you decide to use the LDAP plug-ins, you need to define all users associated with the database in the LDAP server. The same principle applies to the group plug-in.
您必须决定哪些插件对我们的系统是强制性的。在客户端系统上发生 CONNECT 或 ATTACH 语句时提供用户 ID 和密码验证的情形中,使用客户端身份验证插件。因此,必须将数据库管理器配置参数 SRVCON_AUTH 或 AUTHENTICATION 设置为值 CLIENT。很难保护客户端身份验证,通常不建议使用。通常建议使用服务器插件,因为如果客户端执行 CONNECT 或 ATTACH 语句,它会执行用户 ID 和密码的服务器端验证,这是安全的方式。服务器插件还提供了一种将 LDAP 用户 ID 映射到 DB2 授权 ID 的方法。
You have to decide which plug-ins are mandatory for our system. The client authentication plug-ins used in scenarios where the user ID and the password validation supplied on a CONNECT or ATTACH statement occurs on the client system. So the database manager configuration parameters SRVCON_AUTH or AUTHENTICATION need to be set to the value CLIENT. The client authentication is difficult to secure and is not generally recommended. Server plug-in is generally recommended because it performs a server side validation of user IDs and passwords, if the client executes a CONNECT or ATTACH statement and this is secure way. The server plug-in also provides a way to map LDAP user IDs DB2 authorization IDs.
现在您可以开始安装和配置 DB2 安全插件,您需要考虑 DB2 所需的目录信息树。DB2 使用间接授权,这意味着用户属于一个组,而该组被授予较少的权限。您需要在 LDAP 目录中定义所有 DB2 用户和 DB2 组。
Now you can start installation and configuration of the DB2 security plug-ins, you need to think about the required directory information tree for DB2. DB2 uses indirect authorization which means that a user belongs to a group and this group was granted with fewer authorities. You need to define all DB2 users and DB2 groups in LDAP directory.
Image
LDIF 文件 openldap.ldif 应包含以下代码:
The LDIF file openldap.ldif should contain the code below:
#
# LDAP root object
# example.com
#
dn: dc=example,
dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject
#
# db2 groups
#
dn: cn=dasadm1,dc=example,dc=com
cn: dasadm1
objectClass: top
objectClass: posixGroup
gidNumber: 300
objectClass: groupOfNames
member: uid=dasusr1,cn=dasadm1,dc=example,dc=com
memberUid: dasusr1
dn: cn=db2grp1,dc=example,dc=com
cn: db2grp1
objectClass: top
objectClass: posixGroup
gidNumber: 301
objectClass: groupOfNames
member: uid=db2inst2,cn=db2grp1,dc=example,dc=com memberUid: db2inst2
dn: cn=db2fgrp1,dc=example,dc=com
cn: db2fgrp1
objectClass: top
objectClass: posixGroup
gidNumber: 302
objectClass: groupOfNames
member: uid=db2fenc1,cn=db2fgrp1,dc=example,dc=com
memberUid: db2fenc1
#
# db2 users
#
dn: uid=dasusr1,
cn=dasadm1,
dc=example,dc=com
cn: dasusr1
sn: dasusr1
uid: dasusr1
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 300
gidNumber: 300
loginShell: /bin/bash
homeDirectory: /home/dasusr1
dn: uid=db2inst2,cn=db2grp1,dc=example,dc=com
cn: db2inst2
sn: db2inst2
uid: db2inst2
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 301
gidNumber: 301
loginShell: /bin/bash
homeDirectory: /home/db2inst2
dn: uid=db2fenc1,cn=db2fgrp1,dc=example,dc=com
cn: db2fenc1
sn: db2fenc1
uid: db2fenc1
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 303
gidNumber: 303
loginShell: /bin/bash
homeDirectory: /home/db2fenc1
创建一个名为“db2.ldif”的文件,并将上述示例粘贴到其中。使用此文件,将已定义的结构添加到 LDAP 目录。
Create a file named ‘db2.ldif’ and paste the above example into it. Using this file, add the defined structures to your LDAP directory.
要将 DB2 用户和 DB2 组添加到 LDAP 目录,您需要将用户绑定为“rootdn”到 LDAP 服务器以获得确切的权限。
To add the DB2 users and DB2 groups to the LDAP directory, you need to bind the user as ‘rootdn’ to the LDAP server in order to get the exact privileges.
执行以下语法,使用 LDIF 文件“db2.ldif”中定义的所有对象填充 LDAP 信息目录
Execute the following syntaxes to fill the LDAP information directory with all our objects defined in the LDIF file ‘db2.ldif’
ldapadd –x –D “cn=Manager, dc=example,dc=com” –W –f <path>/db2.ldif
执行具有更多参数的搜索结果
Perform the search result with more parameter
ldapsearch –x |more
Preparing file system for DB2 usage
为我们的 LDAP 用户 db2inst2 创建实例。此用户需要包含空文件的目录。在创建新实例之前,您需要创建一个成为该实例所有者的用户。
Creating instance for our LDAP user db2inst2. This user requires home directory with two empty files inside the home directory. Before you create a new instance, you need to create a user who will be the owner of the instance.
在创建实例用户后,您必须在用户主目录(DB2 将对其进行修改)中创建文件“.profile”和“.login”。要在该目录中创建此文件,请执行以下命令:
After creating the instance user, you should have to create the file ‘.profile’ and ‘.login’ in user home directory, which will be modified by DB2. To create this file in the directory, execute the following command:
mkdir /home/db2inst2
mkdir /home/db2inst2/.login
mkdir /home/db2inst2/.profile
您已经在 LDAP 目录中注册了所有与 DB2 相关联的用户和组,现在您可以使用实例所有者 ID“db2inst2”和 fenced 用户 ID“db2fenc1”创建一个名为“db2inst2”的实例,这是运行用户定义函数 (UDF) 或存储过程所必需的。
You have registered all users and groups related with DB2 in LDAP directory, now you can create an instance with the name ‘db2inst2’ with the instance owner id ‘db2inst2’ and use the fenced user id ‘db2fenc1’, which is needed for running user defined functions (UDFs)or stored procedures.
/opt/ibm/db2/V10.1/instance/db2icrt –u db2fenc1 db2inst2
DBI1070I Program db2icrt completed successfully.
现在检查实例主目录。您会看到一个名为“sqllib”的新子目录,以及为 DB2 使用而定制的 .profile 和 .login 文件。
Now check the instance home directory. You can see new sub-directory called ‘sqllib’ and the .profile and .login files customized for DB2 usage.
Configuring authentication public-ins for LDAP support in DB2
将所需的 LDAP 插件复制到相应的 DB2 目录:
Copy the required LDAP plug-ins to the appropriate DB2 directory:
cp ///v10/IBMLDAPauthserver.so
/home/db2inst2/sqllib/security/plugin/server/.
cp ///v10/IBMLDAPgroups.so
/home/db2inst2/sqllib/security
/plugin/group/.
插件复制到指定目录后,您调整为 DB2 实例所有者登录并更改数据库管理器配置以使用这些插件。
Once the plug-ins are copied to the specified directory, you toned to login to DB2 instance owner and change the database manager configuration to use these plug-ins.
Su – db2inst2
db2inst2> db2 update dbm cfg using svrcon_pw_plugin
IBMLDAPauthserver
db2inst2> db2 update dbm cfg using group_plugin
IBMLDAPgroups
db2inst2> db2 update dbm cfg using authentication
SERVER_ENCRYPT
db2inst2> db2stop
db2inst2> db2start
该修改在您启动 DB2 实例后生效。在重新启动该实例后,您需要安装和配置主 DB2 LDAP 配置文件“IBMLDAPSecurity.ini”,以使 DB2 插件与当前 LDAP 配置一起使用。
This modification comes into effect after you start DB2 instance. After restarting the instance, you need to install and configure the main DB2 LDAP configuration file named “IBMLDAPSecurity.ini” to make DB2 plug-ins work with the current LDAP configuration.
IBMLDAPSecurity.ini 文件包含
IBMLDAPSecurity.ini file contains
;-----------------------------------------------------------
; SERVER RELATED VALUES
;-----------------------------------------------------------
; Name of your LDAP server(s).
; This is a space separated list of LDAP server addresses,
; with an optional port number for each one:
; host1[:port] [host2:[port2] ... ]
; The default port number is 389, or 636 if SSL is enabled.
LDAP_HOST = my.ldap.server
;-----------------------------------------------------------
; USER RELATED VALUES
;-----------------------------------------------------------
rs
; LDAP object class used for use USER_OBJECTCLASS = posixAccount
; LDAP user attribute that represents the "userid"
; This attribute is combined with the USER_OBJECTCLASS and
; USER_BASEDN (if specified) to construct an LDAP search
; filter when a user issues a DB2 CONNECT statement with an
; unqualified userid. For example, using the default values
; in this configuration file, (db2 connect to MYDB user bob
; using bobpass) results in the following search filter:
OrgPerson)(uid=bob)
; &(objectClass=inet USERID_ATTRIBUTE = uid
representing the DB2 authorization ID
; LDAP user attribute, AUTHID_ATTRIBUTE = uid
;-----------------------------------------------------------
; GROUP RELATED VALUES
;-----------------------------------------------------------
ps
; LDAP object class used for grou GROUP_OBJECTCLASS = groupOfNames
at represents the name of the group
; LDAP group attribute th GROUPNAME_ATTRIBUTE = cn
; Determines the method used to find the group memberships
; for a user. Possible values are:
; SEARCH_BY_DN - Search for groups that list the user as
; a member. Membership is indicated by the
; group attribute defined as
; GROUP_LOOKUP_ATTRIBUTE.
; USER_ATTRIBUTE - A user's groups are listed as attributes
; of the user object itself. Search for the
; user attribute defined as
TRIBUTE to get the groups.
; GROUP_LOOKUP_AT GROUP_LOOKUP_METHOD = SEARCH_BY_DN
; GROUP_LOOKUP_ATTRIBUTE
; Name of the attribute used to determine group membership,
; as described above.
llGroups
; GROUP_LOOKUP_ATTRIBUTE = ibm-a GROUP_LOOKUP_ATTRIBUTE = member
现在定位当前实例目录中的文件 IBMLDAPSecurity.ini 文件。将上述示例内容复制到其中。
Now locate the file IBMLDAPSecurity.ini file in the current instance directory. Copy the above sample contents into the same.
Cp
//db2_ldap_pkg/IBMLDAPSecurity.ini
/home/db2inst2/sqllib/cfg/
现在,您需要使用以下两个语法重新启动 DB2 实例:
Now you need to restart your DB2 instance, using two syntaxes given below:
db2inst2> db2stop
Db2inst2> db2start
此时,如果您尝试“db2start”命令,您会收到安全错误消息。因为尚未针对您的 LDAP 环境正确配置 DB2 安全配置。
At this point, if you try ‘db2start’ command, you will get security error message. Because, DB2 security configuration is not yet correctly configured for your LDAP environment.
Customizing both configurations
将 LDAP_HOST 名称准备好,该名称在 slapd.conf 文件中进行配置。
Keep LDAP_HOST name handy, which is configured in slapd.conf file.
现在,编辑 IMBLDAPSecurity.ini 文件并键入 LDAP_HOST 名称。所述两个文件中的 LDAP_HOST 名称必须相同。
Now edit IMBLDAPSecurity.ini file and type the LDAP_HOST name. The LDAP_HOST name in both the said files must be identical.
文件的内容如下所示:
The contents of file are as shown below:
;-----------------------------------------------------------
; SERVER RELATED VALUES
;-----------------------------------------------------------
LDAP_HOST = localhost
;-----------------------------------------------------------
; USER RELATED VALUES
----------------------------
;-------------------------------
USER_OBJECTCLASS = posixAccount
USER_BASEDN = dc=example,dc=com
USERID_ATTRIBUTE = uid
AUTHID_ATTRIBUTE = uid
;-----------------------------------------------------------
; GROUP RELATED VALUES
;-----------------------------------------------------------
GROUP_OBJECTCLASS = groupOfNames
GROUP_BASEDN = dc=example,dc=com
GROUPNAME_ATTRIBUTE = cn
GROUP_LOOKUP_METHOD = SEARCH_BY_DN
GROUP_LOOKUP_ATTRIBUTE = member
更改这些值后,LDAP 会立即生效,而您的 DB2 环境搭配 LDAP 也可完美运行。
After changing these values, LDAP immediately takes effect and your DB2 environment with LDAP works perfectly.
您可以注销并重新登录到“db2inst2”用户。
You can logout and login again to ‘db2inst2’ user.
现在,您的实例正在与 LDAP 目录一起工作。
Now your instance is working with LDAP directory.