1

I have DB2 Express-C v10.5 instance configured to authenticate against LDAP. The LDAP sever is going to be shutdown and I should configure the same DB2 instance to use Linux authentication.

I copied users from the LDAP  server to a local Linux host running DB2. Then I did shutdown the LDAP server. After that I changed DB2 authentication settings db2 update dbm cfg using SRVCON_PW_PLUGIN IBMOSauthserver (used to be IBMLDAPauthserver before) and restarted DB2.

Applications access the database with the username db2smth (name changed due to privacy reasons). I can connect to a database with db2 connect to dbname user db2inst1 using '********' but connecting to the same database as db2smth fails:

db2 => connect to dbname user db2smth using '********'

SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR PASSWORD INVALID"). SQLSTATE=08001

su - db2smth and su - db2inst1 works fine which means that Linux authentication works fine.

How can I diagnose what's wrong with the authentication?

haba713
  • 111
  • 3
  • Did you restart your Db2 instance after making the change? Are you using a root install (Db2 binaries installed in /opt) or a non-root install (installed in ~db2inst1/sqllib)? – Ian Bjorhovde Jun 20 '21 at 23:20
  • Yes, I did restart. Binaries are installed in /opt/ibm/db2/V10.5/. Weird thing is that when I connect to the database nothing is printed out into /var/log/auth.log. I'm wondering if it is trying to authenticate (Linux authentication) at all and connecting as db2inst1 succeeds without authentication because it is the instance owner. – haba713 Jun 21 '21 at 09:23
  • "How can I diagnose what's wrong" -- increase `DIAGLEVEL` and check what appears in the diagnostic log after a failed connect. Did you try to log in to the server (shell) using the db2smth credentials? – mustaccio Jun 21 '21 at 11:48
  • I can login to server with db2smth credentials. I increased the log level 3→4 and [this is](https://pastebin.com/raw/CDStSWaR) what is printed out to db2diag.log on connection failure. – haba713 Jun 22 '21 at 20:00
  • 1
    You should add details to your question, please don't leave them in comments. Anyway, there is no indication of authentication failure in the log fragment you provided. – mustaccio Jun 23 '21 at 12:46

2 Answers2

0

(Since the question was resurrected, I guess I'll add my 2 cents.)

I would verify, if the username conforms to the DB2 naming rules. Since you used authentication plugin previously, I suspect you could ignore those naming rules. Now that you created the user on the server directly, you need to follow them. Here's the link to the rules:

https://www.ibm.com/docs/en/db2/10.5?topic=rules-general-naming

I would specificaly check this one:

For Linux and UNIX system, characters for user names and group names must be lowercase.

I was bitten by it in the past. From what I remember the error messages don't point out this problem directly. The message could have been the one you are getting.

rois
  • 439
  • 1
  • 3
  • 11
-1

a simple answer - user db2smth need the 'connect' privilege -- you can try :

  1. db2 connect to dbname user db2inst1
  2. GRANT CONNECT ON DATABASE TO USER db2smth

See also: How do I grant all privileges to local db2admin with DB2 9.7 on Windows?

Juergen Oliver
  • 1
  • 2
  • "user db2smth need the 'connect' privilege" -- what led you to this conclusion? Apparently, when authenticated against an LDAP server, the user _did_ have that privilege. – mustaccio Jul 14 '21 at 20:33
  • with db2inst1 (Instance Owner / has all DB privileges) it works fine - this led me to my conclusion – Juergen Oliver Jul 14 '21 at 21:08