HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

IBM Db2

Note

Vault supports IBM Db2 credential management using the LDAP secrets engine.

Access to Db2 is managed by facilities that reside outside the Db2 database system. By default, user authentication is completed by a security facility that relies on operating system based authentication of users and passwords. This means that the lifecycle of user identities in Db2 aren't capable of being managed using SQL statements and Vault's database secrets engine.

To provide flexibility in accommodating authentication needs, Db2 ships with authentication plugin modules for Lightweight Directory Access Protocol (LDAP). This enables the Db2 database manager to authenticate users and obtain group membership defined in an LDAP directory, removing the requirement that users and groups be defined to the operating system.

Vault's LDAP secrets engine can be used to manage the lifecycle of credentials for Db2 environments that have been configured to delegate user authentication and group membership to an LDAP server. You can use either dynamic credentials or static credentials with the LDAP secrets engine.

Before you start

The architecture for implementing this solution is highly context dependent. The assumptions made in this guide help to provide a practical example of how this could be configured.

Be sure to read the IBM LDAP plugin documentation to understand the tradeoffs and security implications.

The setup presented in this guide makes the following assumptions:

  • Db2 is configured to authenticate users from an LDAP server using the server authentication plugin module.

  • Db2 is configured to retrieve group membership from an LDAP server using the group lookup plugin module.

  • The LDAP directory information tree (DIT) has the following structure:

    # Organizational unitsdn: ou=groups,dc=example,dc=comobjectClass: organizationalUnitou: groupsdn: ou=users,dc=example,dc=comobjectClass: organizationalUnitou: users# Db2 groups#  - https://www.ibm.com/docs/en/db2/11.5?topic=unix-db2-users-groups#  - https://www.ibm.com/docs/en/db2/11.5?topic=ins-ldap-based-authentication-group-lookup-supportdn: cn=db2iadm1,ou=groups,dc=example,dc=comobjectClass: groupOfNamescn: db2iadm1member: uid=db2inst1,ou=users,dc=example,dc=comdescription: DB2 sysadm groupdn: cn=db2fadm1,ou=groups,dc=example,dc=comobjectClass: groupOfNamescn: db2fadm1member: uid=db2fenc1,ou=users,dc=example,dc=comdescription: DB2 fenced user groupdn: cn=dev,ou=groups,dc=example,dc=comobjectClass: groupOfNamescn: devmember: uid=staticuser,ou=users,dc=example,dc=comdescription: Development group# Db2 users#  - https://www.ibm.com/docs/en/db2/11.5?topic=unix-db2-users-groups#  - https://www.ibm.com/docs/en/db2/11.5?topic=ins-ldap-based-authentication-group-lookup-supportdn: uid=db2inst1,ou=users,dc=example,dc=comobjectClass: inetOrgPersoncn: db2inst1sn: db2inst1uid: db2inst1userPassword: Db2AdminPassworddn: uid=db2fenc1,ou=users,dc=example,dc=comobjectClass: inetOrgPersoncn: db2fenc1sn: db2fenc1uid: db2fenc1userPassword: Db2FencedPassword# Add user for static role rotationdn: uid=staticuser,ou=users,dc=example,dc=comobjectClass: inetOrgPersoncn: staticusersn: staticuseruid: staticuseruserPassword: StaticUserPassword
    • IBMLDAPSecurity.ini is updated to match the LDAP server configuration.

Setup

  1. Enable the LDAP secrets engine.

    $ vault secrets enable ldap

  2. Configure the LDAP secrets engine.

    $ vault write ldap/config \    binddn="cn=admin,dc=example,dc=com" \    bindpass="LDAPAdminPassword" \    url="ldap://127.0.0.1:389"

  3. Write a template file that defines how to create LDAP users.

    $ cat > /tmp/creation.ldif <<EOFdn: uid={{.Username}},ou=users,dc=example,dc=comobjectClass: inetOrgPersonuid: {{.Username}}cn: {{.Username}}sn: {{.Username}}userPassword: {{.Password}}EOF

    This file will be used by Vault to create LDAP users when credentials are requested.

  4. Write a template file that defines how to delete LDAP users.

    $ cat > /tmp/deletion_rollback.ldif <<EOFdn: uid={{.Username}},ou=users,dc=example,dc=comchangetype: deleteEOF

    This file will be used by Vault to delete LDAP users when the credentials are revoked.

  5. Create a Vault role that includes creation.ldif and deletion_rollback.ldif

    $ vault write ldap/role/dynamic \     creation_ldif=@/tmp/creation.ldif \     deletion_ldif=@/tmp/deletion_rollback.ldif \     rollback_ldif=@/tmp/deletion_rollback.ldif \     default_ttl=1h

Usage

Generate dynamic credentials using the Vault dynamic role.

$ vault read ldap/creds/dynamic

Successful output:

Key                    Value---                    -----lease_id               ldap/creds/dynamic/doa187ysuFExnvsJwmt8WrNolease_duration         1hlease_renewable        truedistinguished_names    [uid=v_token_dynamic_joctelE9RB_1647220296,ou=users,dc=example,dc=com]password               3WAOcuHUUt3qMKaUqo14pfTWapiOt8fmcBNoDo7Rx1R9dKxMOMVoMR3MYjCxQvmLusername               v_token_dynamic_joctelE9RB_1647220296

Use the dynamic credentials to connect to Db2.

Tutorial

Refer to the LDAP Secrets Engine tutorial to learn how to configure and use the LDAP secrets engine.

API

The LDAP secrets engine has a full HTTP API. Please see the LDAP secrets engine API docs for more details.

Edit this page on GitHub