db2 client authentication does not perfrom group retrieval at the client side?

Harishkumar .Pathangay

db2 client authentication does not perfrom group retrieval at the client side?

hi,
First it is a learning question.

I have set DBM CFG authentication CLIENT.
So the user name and password verification happens on the client os.
But the Group Retrieval happens on the Server side.
For Example, if I grant ACCESSCTRL to group DUMMY on the database server.
Now I connect to DB from client, different machine, with user name jimmy who is in group dummy in the client os. the database server OS will not have group dummy at all.
I am able to connect, but with no ACCESSCTRL authority. you can verify it with application snapshot.
So I go and create group dummy in the DB server OS and also add a user kimmy.
Now I connect to DB from server only, with user name kimmy who is in group dummy in the server OS. it works.I am able to connect, with ACCESSCTRL authority. you can verify it with application snapshot.

So this confirms that GROUP retrieval happens in Server Side Only.
How to Fix it? Is it how it is? I am not looking for a plugin to be configured at the client side. If client can do authentication then why not group retrieval too?

Thanks,
HP

Nadir Doctor

db2 client authentication does not perfrom group retrieval at the client side?
(in response to Harishkumar .Pathangay)
Hi Harish,

You may want to consider db2_alternate_group_lookup registry variable in
case it can assist -

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.regvars.doc/doc/r0005658.html#r0005658__S_DB2_ALTERNATE_GROUP_LOOKUP


Best Regards,
Nadir



On Sat, May 6, 2017 at 12:59 PM, Harishkumar .Pathangay <
[login to unmask email]> wrote:

> hi,
> First it is a learning question.
>
> I have set DBM CFG authentication CLIENT.
> So the user name and password verification happens on the client os.
> But the Group Retrieval happens on the Server side.
> For Example, if I grant ACCESSCTRL to group DUMMY on the database server.
> Now I connect to DB from client, different machine, with user name jimmy
> who is in group dummy in the client os. the database server OS will not
> have group dummy at all.
> I am able to connect, but with no ACCESSCTRL authority. you can verify it
> with application snapshot.
> So I go and create group dummy in the DB server OS and also add a user
> kimmy.
> Now I connect to DB from server only, with user name kimmy who is in group
> dummy in the server OS. it works.I am able to connect, with ACCESSCTRL
> authority. you can verify it with application snapshot.
>
> So this confirms that GROUP retrieval happens in Server Side Only.
> How to Fix it? Is it how it is? I am not looking for a plugin to be
> configured at the client side. If client can do authentication then why not
> group retrieval too?
>
> Thanks,
> HP
>
> -----End Original Message-----
>

Harishkumar .Pathangay

db2 client authentication does not perfrom groupretrieval at the client side?
(in response to Nadir Doctor)
That registry variable will still look up the groups in server machine only right.
How will it change for my situation? I am okay with authenticating with OS, I do not want any alternate group lookup. But rather I want to change where the look up is supposed to happen.

I hope my question is clear.
Any other inputs?

Thanks,
HP

Sent from Mail for Windows 10

From: Nadir Doctor
Sent: 07 May 2017 00:02
To: [login to unmask email]
Subject: [DB2-L] - RE: db2 client authentication does not perfrom groupretrieval at the client side?

Hi Harish,

You may want to consider db2_alternate_group_lookup registry variable in case it can assist -

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.regvars.doc/doc/r0005658.html#r0005658__S_DB2_ALTERNATE_GROUP_LOOKUP



Best Regards,
Nadir
 


On Sat, May 6, 2017 at 12:59 PM, Harishkumar .Pathangay <[login to unmask email]> wrote:
hi,
First it is a learning question.
I have set DBM CFG authentication CLIENT.
So the user name and password verification happens on the client os.
But the Group Retrieval happens on the Server side.
For Example, if I grant ACCESSCTRL to group DUMMY on the database server.
Now I connect to DB from client, different machine, with user name jimmy who is in group dummy in the client os. the database server OS will not have group dummy at all.
I am able to connect, but with no ACCESSCTRL authority. you can verify it with application snapshot.
So I go and create group dummy in the DB server OS and also add a user kimmy.
Now I connect to DB from server only, with user name kimmy who is in group dummy in the server OS. it works.I am able to connect, with ACCESSCTRL authority. you can verify it with application snapshot.
So this confirms that GROUP retrieval happens in Server Side Only.
How to Fix it? Is it how it is? I am not looking for a plugin to be configured at the client side. If client can do authentication then why not group retrieval too?
Thanks,
HP


Site Links: View post online   View mailing list online   Start new thread via email   Unsubscribe from this mailing list   Manage your subscription  

This email has been sent to: [login to unmask email]
Learn how ESAi's fast data refresh & Test Data Management products can save up to 90% in CPU, I/O
and manual efforts compared to typical solutions. Be a hero to your users with BCV5 & XDM. See
ttp://www.ESAIGroup.com/idug

Use of this email content is governed by the terms of service at:
http://www.idug.org/p/cm/ld/fid=2




Site Links: View post online   View mailing list online   Start new thread via email   Unsubscribe from this mailing list   Manage your subscription  

This email has been sent to: [login to unmask email]
Learn how ESAi's fast data refresh & Test Data Management products can save up to 90% in CPU, I/O
and manual efforts compared to typical solutions. Be a hero to your users with BCV5 & XDM. See
ttp://www.ESAIGroup.com/idug

Use of this email content is governed by the terms of service at:
http://www.idug.org/p/cm/ld/fid=2


Attachments

  • F592E6BCCCD94C8BB2AAC9B58FD4D9AA.png (<1k)
  • A29E481A36F04BFCACC60B156DFF304E.png (<1k)