DB2 - Problem description
Problem IT28712 | Status: Closed |
EXCESSIVE NUMBER OF LDAP AUTHENTICATION REQUEST FOR SINGLE USER CAUSED BY GROUP-WDIE AUTHENTICATION LOOKUP | |
product: | |
DB2 FOR LUW / DB2FORLUW / B10 - DB2 | |
Problem description: | |
1. Problem description The customer setup Db2 with transparent LDAP authentication. He noticed that he was seeing an unexpectedly high number of authentication requests on the LDAP server. He did some testing and found that an authentication request for a single user would return the group for that user, then make authentication requests for all users within that group. The AIX team performed an analysis and came to the following root cause and suggested resolution. (They came to these conclusions after analysing the source for the sample authentication program, aixAuthTest.C.) ################################### AIX team root cause analysis ################################### The auth test code is doing this: . 1) getgrset (gives GIDs user belongs to) This is the function that is giving us the GIDs of db1 through db7 that we see above. We send a request to the server asking for the GIDs the user belongs to, and it responds to that request - one request made, and one reply returned. . 2) getgrgid_r (get group data for each of these GIDs) This call is being made in order to translate the GID from step 1 into a group name. The auth test code makes this call for each of the GIDs we got from getgrset. It is getting all group information - in addition to getting the group name, it is also grabbing attributes like 'memberuid' - and as we see above in the IP trace, if we see a memberuid that is defined as full DN, we'll do a search on it to translate it and get a short user name . That is the explanation for why we are seeing those extra searches - as each call to getgrgid_r is made, and we are grabbing all of that group's attributes, we are also going to need to translate the full DN into its short name. . Note, that when getgrset is called, we are able to get a full list of GIDs that the user belongs to without needing to do any extra searches for these fullDN's. We send a request to the server saying 'give us the GIDs of all groups that this user belongs to', and it does so. This is similar to what is happening when lsuser does a getuserattr to get group names - except instead of asking the server 'give us the GIDs', it is asking 'give us the group names'. Since it gets the groups names rather than GIDs, there is no need to use getgrgid_r to find the group name - and that also takes away the need to translate the 'member' information that getgrgid_r is returning. . If DB2 just needs a list of group names that the user belongs to, it would be better to use getuserattr(), ie: . rc=getuserattr(argv[2],S_GROUPS,&val2,SEC_LIST); if(rc==0) { char * str = val2; int len; printf("User %s in authdb %s has group list ",argv[2],new); while(1) { len=strlen(str); printf("%s ",str); str=str+len+1; if(str[0] == 0) break; } printf(" "); . } else printf("getuserattr failed "); . Attached is a test program called groupsids.c, as well as it's compiled form. It would be run as: . ./groupsids LDAP . This shows how to make a call to: . rc = getuserattr(argv[2],S_GROUPSIDS, &val, SEC_LIST); (get group ID's) and: rc=getuserattr(argv[2],S_GROUPS,&val2,SEC_LIST); (get group names) . The S_GROUPSIDS call is functionally equivalent to making a call to getgrset, so I wouldn't say it's any better or worse than using getgrset. The S_GROUPS call, however, gives you the user's group names without going through the extra business that getgrgid_r will do as far as translating the full DN's. ################################### groupsids.c ################################### #include #include #include void main(int argc, char * argv[]) { char *new; char *val; char *val2; int rc; new = strdup(argv[1]); setauthdb(new,NULL); rc = getuserattr(argv[2],S_GROUPSIDS, &val, SEC_LIST); if(rc==0) { char * str = val; int len; printf("User %s in authdb %s has group list ",argv[2],new); while(1) { len=strlen(str); printf("%s ",str); str=str+len+1; if(str[0] == 0) break; } printf(" "); } else printf("getuserattr failed "); rc=getuserattr(argv[2],S_GROUPS,&val2,SEC_LIST); if(rc==0) { char * str = val2; int len; printf("User %s in authdb %s has group list ",argv[2],new); while(1) { len=strlen(str); printf("%s ",str); str=str+len+1; if(str[0] == 0) break; } printf(" "); } else printf("getuserattr failed "); } 2. Operating system and level: AIX 64 bit 7.1 3. Client, server, and gateway information a. Client information, if applicable b. Gateway information, if applicable c. Server information, if applicable AIX 64 bit 7.1 Db2 v11.1m4fp5 4. How to reproduce the problem Attempt to connect using an LDAP managed user that is part of a group that also includes multiple other users. Authentication requests will be sent for those users as well. | |
Problem Summary: | |
**************************************************************** * USERS AFFECTED: * * ALL * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to Db2 11.1 Mod 4 Fixpack 5 or higher * **************************************************************** | |
Local Fix: | |
N/A | |
Solution | |
Workaround | |
not known / see Local fix | |
BUG-Tracking | |
forerunner : IT28520 follow-up : | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 08.04.2019 16.01.2020 16.01.2020 |
Problem solved at the following versions (IBM BugInfos) | |
Problem solved according to the fixlist(s) of the following version(s) |