Can we hope that internal authentication (OS independent) will be built into DB2 by IBM, at least
as an option ? I agree that OS authentication may be usefull in many situations, but OS dependency is often problematic and not always desirable.

I read Gene’s article, but it seems it’s hard to write plugin which is not platform specific.

DB2’s approach seems to be the same as that of PostgreSQL, where there are a number of authentication plugins covering everything from LDAP/Kerberos to OS users to having everything just stored in the DB.

From the limited amount that I have used commercial DB’s like Oracle and MSSQL, it seems that PostgreSQL is firmly in that league, and MySQL is just now appearing on the horizon.

An alternative on Windows is to create a trivial executable that calls the SQLDriverConnect on Windows. This will launch a GUI panel through which you can change the password on a remote AIX/Linux/Windows server.

For an example as well as a picture of the GUI, please see the middle of the article that I wrote referenced by Leon above.

I realize that most do not use command line tools however, most can follow a script.

I prefer OS authentication, but I do run into issues with it.
Our databases are running on AIX, while our business users mostly use PCs to run reports. When a new user joins the company, the AIX admin creates a user ID for this user and DBA creates the necessary views, grant table auth for this user etc. The problem is the password for the user. The AIX admins sets it up such that when the user logs in for first time it prompts for a new password, which is good. The bad is, this works only if the user logs into the AIX machine. If they try logging in thru the client they are using on the PC, this doesn’t work and they are not able to access the machine unless somebody else actually logs in to the AIX machine and changes the pwd for them. Which ends up mostly being the case since most of these users have never used any commandline tools (putty etc). And this way, these users never (almost never) change a password once its set since that requires logging into the AIX operating system. I find this to be the biggest issue since when a user ends up with no access these 3 groups will be finger pointing each other saying one of them messed up
(If you know any way around this, the solution would be welcome)

i wanted to use kerberos auth on a particular AIX box, but only for user accounts, not system accounts, such as the instance owner. i had authentication set to SERVER, so my understanding was that db2 would reach out to the OS for the authentication, via db2ckpwd. however, it seemed that when db2ckpwd asked the OS, some of the user’s attributes were not being honored. rlogin, for example, was being honored, but the authentication method set for a user (krb5 if i remember corrrectly) was not.

so it may be better stated that the OS handles auth when set to SERVER BUT with caveat 1, 2, 3… etc. in the end, we probably just needed to create one of these plugins you speak about. we reverted to not using kerberos for now.