CrowdforGeeks | Build Skills with Online Courses from Top Institutions

Introduction

LDAP is Lightweight Directory Access Protocol. LDAP is a worldwide registry administration, industry-standard convention, which depends on customer server model and runs on a layer over the TCP/IP stack. The LDAP gives an office to interface with, get to, change, and search the web catalog.

The LDAP servers contain data which is composed as an index tree. The customers request that server give data or to play out some procedure on a specific data. The server answers the customer by giving required data on the off chance that it has one, or it alludes the customer to another server for activity on required data. The customer at that point procures the ideal data from another server.

The tree structure of index is kept up same over all the partaking servers. This is a noticeable component of LDAP index administration. Subsequently, independent of which server is alluded to by the customer, the customer consistently gets required data in a mistake free way. Here, we use LDAP to confirm IBM DB2 as a substitution of working framework confirmation.

There are two sorts of LDAP:

Straightforward
Module

Let us perceive how to arrange a straightforward LDAP.

Configuring transparent LDAP

To begin with arrangement of straightforward LDAP, you have to design the LDAP server.

LDAP server arrangement

Make a SLAPD.conf document, which contains all the data about clients and gathering object in the LDAP. At the point when you introduce LDAP server, as a matter of course it is designed with fundamental LDAP registry tree on your machine.

The table appeared beneath shows the document design after alteration.

The content featured with yellow the code box implies for the accompanying:

DBA user-id = “db2my1”, group = “db1my1adm”, password= “db2my1” Admin user-id = “my1adm”, group = “dbmy1ctl”.

# base dn: example.com 
dn: dc=example,dc=com 
dc: example 
o: example 
objectClass: organization 
objectClass: dcObject 
# pc box db 
dn: dc=db697,dc=example,dc=com 
dc: db697 
o: db697 
objectClass: organization 
objectClass: dcObject 
# 
# Group: dbadm 
# 
dn: cn=dbmy1adm,dc=db697,dc=example,dc=com 
cn: dbmy1adm 
objectClass: top 
objectClass: posixGroup 
gidNumber: 400 
objectClass: groupOfNames 
member: uid=db2my1,cn=dbmy1adm,dc=db697,dc=example,dc=com 
memberUid: db2my1 
# 
# User: db2 
# 
dn: uid=db2my1,cn=dbmy1adm,dc=db697,dc=example,dc=com 
cn: db2my1 
sn: db2my1 
uid: db2my1 
objectClass: top 
objectClass: inetOrgPerson 
objectClass: posixAccount 
uidNumber: 400 
gidNumber: 400 
loginShell: /bin/csh 
homeDirectory: /db2/db2my1 
# 
# Group: dbctl 
# 
dn: cn=dbmy1ctl,dc=db697,dc=example,dc=com 
cn: dbmy1ctl 
objectClass: top 
objectClass: posixGroup 
gidNumber: 404 
objectClass: groupOfNames 
member: uid=my1adm,cn=dbmy1adm,dc=db697,dc=example,dc=com 
memberUid: my1adm 
# 
# User: adm 
# 
dn: uid=my1adm,cn=dbmy1ctl,dc=db697,dc=example,dc=com 
cn: my1adm 
sn: my1adm 
uid: my1adm 
objectClass: top 
objectClass: inetOrgPerson 
objectClass: posixAccount 
uidNumber: 404 
gidNumber: 404 
loginShell: /bin/csh 
homeDirectory: /home/my1adm

Save the above file with name ‘/var/lib/slapd.conf’, then execute this file by following command to add these values into LDAP Server. This is a linux command; not a db2 command.

ldapadd r- -D ‘cn=Manager,dc=example,dc=com” –W –f 
/var/lib/slapd.conf

In the wake of enlisting the DB2 clients and the DB2 bunch at the LDAP Server, logon to the specific client where you have introduced occurrence and database. You have to arrange LDAP customer to affirm to customer where your server is found, be it remote or neighborhood.

LDAP customer arrangement

The LDAP Client arrangement is spared in the document 'ldap.conf'. There are two documents accessible for arrangement parameters, one is normal and the other is explicit. You should locate the first at '/and so forth/ldap.conf' and the last is situated at '/and so forth/openldap/ldap.conf'.

The accompanying information is accessible in like manner LDAP customer design record

# File: /etc/ldap.conf  
# The file contains lots of more entries and many of them  
# are comments. You show only the interesting values for now  
host localhost  
base dc=example,dc=com  
ldap_version 3  
pam_password crypt  
pam_filter objectclass=posixAccount  
nss_map_attribute uniqueMember member 
nss_base_passwd dc=example,dc=com  
nss_base_shadow dc=example,dc=com  
nss_base_group dc=example,dc=com

You have to change the area of server and space data as indicated by the DB2 design. On the off chance that we are utilizing server in same framework, at that point notice it as 'localhost' at 'have' and at 'base' you can design which is referenced in 'SLAPD.conf' record for LDAP server.

Pluggable Authentication Model (PAM) is an API for verification administrations. This is regular interface for LDAP validation with a scrambled secret key and uncommon LDAP object of type posixAccount. All LDAP objects of this sort speak to a reflection of a record with convenient Operating System Interface (POSIX) characteristics.

System Security Services (NSS) is a lot of libraries to help cross-stage improvement of security-empowered customer and server applications. This incorporates libraries like SSL, TLS, PKCS S/MIME and other security principles.

You have to determine the base DN for this interface and two extra mapping characteristics. OpenLDAP customer arrangement record contains the sections given underneath:

host localhost  
base dc=example,dc=com

Till this you simply characterize the host of LDAP serve and the base DN.

Approving OpenLDAP condition

After you designed your LDAP Server and LDAP Client, confirm both for correspondence.

Step1: Check your Local LDAP server is running. Utilizing beneath order:

ps - ef | grep - I ldap

This order should list the LDAP deamon which speaks to your LDAP server:

/usr/lib/openldap/slapd - h ldap:// - u ldap - g ldap - o slp=on

This shows you LDAP server is running and is sitting tight for demand from customers. In the event that there is no such procedure for past orders you can begin LDAP server with the 'rcldap' order.

rcldap start

At the point when the server begins, you can screen this in the document '/var/log/messages/by giving the accompanying order.

tail – f/var/log/messages

Testing association with LDAP server with ldapsearch

The ldapsearch order opens an association with a LDAP server, ties to it and plays out an inquiry question which can be indicated by utilizing unique parameters '- x' interface with your LDAP server with a straightforward confirmation component by utilizing the – x parameter rather than a progressively unpredictable instrument like Simple Authentication and Security Layer (SASL)

ldapsearch – x

LDAP server should answer with a reaction given underneath, containing the entirety of your LDAP passages in a LDAP Data Interchange Format(LDIF).

# extended LDIF  
#  
# LDAPv3  
# base <> with scope subtree  
# filter: (objectclass=*) 
# requesting: ALL  
# example.com  
dn: dc=example,
dc=com  dc: example  
o: example  
objectClass: organization  
objectClass: dcObject  
# search result  
search: 2  
result: 0 Success  
# numResponses: 2  
# numEntries: 1

Configuring DB2

In the wake of working with LDAP server and customer, you have to design our DB2 database for use with LDAP. Allow us to examine, how you can introduce and design your database to utilize our LDAP condition for the DB2 client verification process.

Configuring DB2 and LDAP interaction plug-ins

IBM gives a free bundle LDAP modules for DB2. The DB2 bundle incorporates three DB2 security modules for every one of the accompanying:

server side validation
customer side validation
bunch query

Contingent on your prerequisites, you can utilize any of the three modules or every one of them. This module don't bolster conditions where a few clients are characterized in LDAP and others in the working Systems. In the event that you choose to utilize the LDAP modules, you have to characterize all clients related with the database in the LDAP server. A similar rule applies to the gathering module.

You need to choose which modules are obligatory for our framework. The customer confirmation modules utilized in situations where the client ID and the secret phrase approval provided on a CONNECT or ATTACH articulation happens on the customer framework. So the database supervisor setup parameters SRVCON_AUTH or AUTHENTICATION should be set to the worth CLIENT. The customer validation is hard to make sure about and isn't by and large suggested. Server module is for the most part suggested in light of the fact that it plays out a server side approval of client IDs and passwords, if the customer executes a CONNECT or ATTACH articulation and this is secure way. The server module likewise gives an approach to outline client IDs DB2 approval IDs.

Presently you can begin establishment and arrangement of the DB2 security modules, you have to consider the necessary index data tree for DB2. DB2 utilizes backhanded approval which implies that a client has a place with a gathering and this gathering was allowed with less specialists. You have to characterize all DB2 clients and DB2 bunches in LDAP registry.

Picture

The LDIF record openldap.ldif ought to contain the code underneath:

#  
# LDAP root object  
# example.com  
#  
dn: dc=example,
dc=com  
dc: example  
o: example  
objectClass: organization  
objectClass: dcObject 
 #  
 # db2 groups  
 #  
 dn: cn=dasadm1,dc=example,dc=com  
 cn: dasadm1  
 objectClass: top  
 objectClass: posixGroup  
 gidNumber: 300  
 objectClass: groupOfNames 
 member: uid=dasusr1,cn=dasadm1,dc=example,dc=com  
 memberUid: dasusr1  
 dn: cn=db2grp1,dc=example,dc=com  
 cn: db2grp1  
 objectClass: top  
 objectClass: posixGroup  
 gidNumber: 301  
 objectClass: groupOfNames  
 member: uid=db2inst2,cn=db2grp1,dc=example,dc=com  memberUid: db2inst2  
 dn: cn=db2fgrp1,dc=example,dc=com  
 cn: db2fgrp1  
 objectClass: top 
 objectClass: posixGroup  
 gidNumber: 302  
 objectClass: groupOfNames 
 member: uid=db2fenc1,cn=db2fgrp1,dc=example,dc=com  
 memberUid: db2fenc1  
 #  
 # db2 users  
 #  
 dn: uid=dasusr1,
 cn=dasadm1,
 dc=example,dc=com  
 cn: dasusr1  
 sn: dasusr1  
 uid: dasusr1  
 objectClass: top  
 objectClass: inetOrgPerson 
 objectClass: posixAccount 
 uidNumber: 300  
 gidNumber: 300  
 loginShell: /bin/bash 
 homeDirectory: /home/dasusr1  
 dn: uid=db2inst2,cn=db2grp1,dc=example,dc=com  
 cn: db2inst2  
 sn: db2inst2  
 uid: db2inst2  
 objectClass: top  
 objectClass: inetOrgPerson  
 objectClass: posixAccount  
 uidNumber: 301  
 gidNumber: 301  
 loginShell: /bin/bash  
 homeDirectory: /home/db2inst2  
 dn: uid=db2fenc1,cn=db2fgrp1,dc=example,dc=com  
 cn: db2fenc1  
 sn: db2fenc1  
 uid: db2fenc1  
 objectClass: top  
 objectClass: inetOrgPerson  
 objectClass: posixAccount  
 uidNumber: 303  
 gidNumber: 303  
 loginShell: /bin/bash  
 homeDirectory: /home/db2fenc1

Make a record named 'db2.ldif' and glue the above model into it. Utilizing this document, add the characterized structures to your LDAP catalog.

To include the DB2 clients and DB2 gatherings to the LDAP catalog, you have to tie the client as 'rootdn' to the LDAP server so as to get the specific benefits.

Execute the accompanying sentence structures to fill the LDAP data catalog with every one of our articles characterized in the LDIF record 'db2.ldif'

ldapadd –x –D “cn=Manager, dc=example,dc=com” –W –f <path>/db2.ldif

Play out the query item with more parameter

ldapsearch – x |more

Getting ready document framework for DB2 use

Making occurrence for our LDAP client db2inst2. This client requires home index with two void documents inside the home registry. Before you make another occasion, you have to make a client who will be the proprietor of the occurrence.

In the wake of making the occasion client, you ought to need to make the record '.profile' and '.login' in client home registry, which will be adjusted by DB2. To make this document in the index, execute the accompanying order:

mkdir /home/db2inst2  
mkdir /home/db2inst2/.login 
mkdir /home/db2inst2/.profile

You have enlisted all clients and gatherings related with DB2 in LDAP registry, presently you can make an occurrence with the name 'db2inst2' with the example proprietor id 'db2inst2' and utilize the fenced client id 'db2fenc1', which is required for running client characterized capacities (UDFs)or put away techniques.

/opt/ibm/db2/V10.1/instance/db2icrt –u db2fenc1 db2inst2  
DBI1070I Program db2icrt completed successfully.

Presently check the occasion home registry. You can see new sub-registry called 'sqllib' and the .profile and .login documents modified for DB2 use.

Configuring authentication public-ins for LDAP support in DB2

Duplicate the required LDAP modules to the suitable DB2 registry:

cp            ///v10/IBMLDAPauthserver.so  
/home/db2inst2/sqllib/security/plugin/server/. 
 
cp            ///v10/IBMLDAPgroups.so 
/home/db2inst2/sqllib/security/plugin/group/.

When the modules are replicated to the predefined index, you conditioned to login to DB2 occurrence proprietor and change the database chief setup to utilize these modules.

Su – db2inst2  
db2inst2> db2 update dbm cfg using svrcon_pw_plugin 
IBMLDAPauthserver 
db2inst2> db2 update dbm cfg using group_plugin 
IBMLDAPgroups 
db2inst2> db2 update dbm cfg using authentication 
SERVER_ENCRYPT 
db2inst2> db2stop 
db2inst2> db2start

This adjustment becomes effective after you start DB2 occasion. In the wake of restarting the example, you have to introduce and design the primary DB2 LDAP arrangement document named "IBMLDAPSecurity.ini" to make DB2 modules work with the current LDAP setup.

IBMLDAPSecurity.ini document contains

;-----------------------------------------------------------  
; SERVER RELATED VALUES  
;-----------------------------------------------------------  
; Name of your LDAP server(s).  
; This is a space separated list of LDAP server addresses,  
; with an optional port number for each one:  
; host1[:port] [host2:[port2] ... ]  
; The default port number is 389, or 636 if SSL is enabled.  
LDAP_HOST = my.ldap.server  
;-----------------------------------------------------------  
; USER RELATED VALUES  
;-----------------------------------------------------------  
rs  
; LDAP object class used for use USER_OBJECTCLASS = posixAccount  
; LDAP user attribute that represents the "userid"  
; This attribute is combined with the USER_OBJECTCLASS and  
; USER_BASEDN (if specified) to construct an LDAP search  
; filter when a user issues a DB2 CONNECT statement with an  
; unqualified userid. For example, using the default values 
; in this configuration file, (db2 connect to MYDB user bob  
; using bobpass) results in the following search filter:  
OrgPerson)(uid=bob)  
; &(objectClass=inet USERID_ATTRIBUTE = uid  
representing the DB2 authorization ID  
; LDAP user attribute, AUTHID_ATTRIBUTE = uid  
;-----------------------------------------------------------  
; GROUP RELATED VALUES  
;-----------------------------------------------------------  
ps  
; LDAP object class used for grou GROUP_OBJECTCLASS = groupOfNames  
at represents the name of the group  
; LDAP group attribute th GROUPNAME_ATTRIBUTE = cn  
; Determines the method used to find the group memberships  
; for a user. Possible values are:  
; SEARCH_BY_DN - Search for groups that list the user as  
; a member. Membership is indicated by the  
; group attribute defined as  
; GROUP_LOOKUP_ATTRIBUTE. 
; USER_ATTRIBUTE - A user's groups are listed as attributes  
; of the user object itself. Search for the  
; user attribute defined as  
TRIBUTE to get the groups.  
; GROUP_LOOKUP_AT GROUP_LOOKUP_METHOD = SEARCH_BY_DN  
; GROUP_LOOKUP_ATTRIBUTE  
; Name of the attribute used to determine group membership,  
; as described above.  
llGroups  
; GROUP_LOOKUP_ATTRIBUTE = ibm-a GROUP_LOOKUP_ATTRIBUTE = member

Presently find the record IBMLDAPSecurity.ini document in the present occurrence index. Duplicate the above example substance into the equivalent.

Cp 
//db2_ldap_pkg/IBMLDAPSecurity.ini  
/home/db2inst2/sqllib/cfg/

Presently you have to restart your DB2 case, utilizing two linguistic uses given underneath:

db2inst2> db2stop 

Db2inst2> db2start

Now, in the event that you attempt 'db2start' order, you will get security blunder message. Since, DB2 security arrangement isn't yet effectively designed for your LDAP condition.

Customizing both configurations

Keep LDAP_HOST name convenient, which is designed in slapd.conf document.

Presently alter IMBLDAPSecurity.ini document and type the LDAP_HOST name. The LDAP_HOST name in both the said records must be indistinguishable.

The substance of record are as demonstrated as follows:

  ;-----------------------------------------------------------  
      ; SERVER RELATED VALUES  
      ;-----------------------------------------------------------  
      LDAP_HOST = localhost  
      ;-----------------------------------------------------------  
      ; USER RELATED VALUES  
      ----------------------------  
      ;-------------------------------  
      USER_OBJECTCLASS = posixAccount  
      USER_BASEDN = dc=example,dc=com  
      USERID_ATTRIBUTE = uid  
      AUTHID_ATTRIBUTE = uid  
      ;-----------------------------------------------------------  
      ; GROUP RELATED VALUES  
      ;-----------------------------------------------------------  
      GROUP_OBJECTCLASS = groupOfNames 
	  GROUP_BASEDN = dc=example,dc=com  
      GROUPNAME_ATTRIBUTE = cn  
      GROUP_LOOKUP_METHOD = SEARCH_BY_DN

Subsequent to changing these qualities, LDAP quickly produces results and your DB2 condition with LDAP works consummately.

You can logout and login again to 'db2inst2' client.

Presently your case is working with LDAP index.