24.3.2 Procedure for setting up environment for Directory Server linkage facility

This section explains the procedure for setting up an environment for the Directory Server linkage facility. The following assumes that the environment for HiRDB is already set up and HiRDB is ready to be started.

Procedure
  1. Install the Directory Server.
  2. Users and roles must be registered into the Sun Java System Directory Server.
  3. Terminate HiRDB.
  4. Set up the environment for HiRDB LDAP Option.
  5. Specify the pd_directory_server operand.
  6. Grant privileges to users.1
  7. Delete unneeded CONNECT privileges.2
The procedure step numbers correspond to the paragraph numbers in the explanation that follows. For example, step 3 above is explained in paragraph (3) below.
1 Perform this step when you install HiRDB at a server for the first time.
2 Perform this step when HiRDB is already running.
Organization of this subsection
(1) Install the Directory Server
(2) Register users and roles in the Directory Server
(3) Terminate HiRDB
(4) Set up the environment for HiRDB LDAP Option
(5) Specify the pd_directory_server operand
(6) Grant privileges to the users
(7) Delete unneeded CONNECT privileges

(1) Install the Directory Server

Install the Directory Server. For details about installing the Sun Java System Directory Server, see Sun Java System Directory Server.

(2) Register users and roles in the Directory Server

Register in the Sun Java System Directory Server the users who wish to connect to HiRDB. The HiRDB administrator must also be registered. Defined roles can also be registered. For details about registering users or roles into the Sun Java System Directory Server, see Sun Java System Directory Server.

(a) Notes on registering users
  1. Be sure to specify the users' passwords when you register users in the Directory Server. You can register users without specifying passwords, but such users will not be able to connect to HiRDB.
  2. User IDs must conform to the naming conventions for HiRDB authorization identifiers (i.e., a user ID must consist of up to eight bytes of upper- and/or lower-case alphabetic characters and/or numeric digits).
  3. A user ID that is the same as a HiRDB reserved word cannot be used for connecting to HiRDB (for a list of the reserved words, see the manual HiRDB Version 8 SQL Reference).
  4. All user IDs must be unique.
  5. Note that user and role information is case sensitive. For details, see 24.3.3 Handling upper-case and lower-case letters specified in user IDs, passwords, and roles.
(b) Notes on registering roles
  1. Register roles that use a filter.
  2. Role names must conform to the naming conventions for HiRDB. A role name must consist of up to 30 bytes of upper- and/or lower-case alphabetic characters and/or numeric digits. Double-byte characters are not allowed.
  3. If a role name is the same as a HiRDB reserved word, table access privileges cannot be granted to that group. For a list of reserved words, see the manual HiRDB Version 8 SQL Reference.
  4. Check that no registered role name is the same as an existing role name or user ID in the Sun Java System Directory Server.
  5. All role names must be unique.
  6. Note that user and role information is case sensitive. For details, see 24.3.3 Handling upper-case and lower-case letters specified in user IDs, passwords, and roles.
(c) When HiRDB is already running

The users registered into HiRDB can be identified by referencing the SQL_USERS dictionary table; an example follows:

Example
Display the authorization identifiers of all users registered in HiRDB:

 SELECT USER_ID FROM MASTER.SQL_USERS

(3) Terminate HiRDB

Use the pdstop command to terminate HiRDB normally.

(4) Set up the environment for HiRDB LDAP Option

Install HiRDB LDAP Option and execute the pdopsetup command. For details about installation and executing the pdopsetup command, see the manual HiRDB Version 8 Installation and Design Guide.

After installation is complete, create a HiRDB LDAP Option environment definition file. For details about HiRDB LDAP Option environment definition files, see 24.7 Creating the HiRDB LDAP Option environment definition file.

(5) Specify the pd_directory_server operand

Specify the pd_directory_server operand to use the Directory Server linkage facility. Then, use the pdstart command to start HiRDB normally.

(6) Grant privileges to the users

This task should be performed when HiRDB is installed for the first time. Grant privileges to the users who are registered in Hitachi Directory Server. For the procedure for granting privileges, see 24.4 User privileges setup.

(7) Delete unneeded CONNECT privileges

This task should be performed if HiRDB had been installed and operated previously. Because CONNECT privileges are now managed by Hitachi Directory Server, HiRDB's CONNECT privilege management information is no longer needed. Use the REVOKE statement to delete the CONNECT privilege of all users except for the following:

The following SQL example retrieves all users who do not have DBA or schema definition privilege (users who have CONNECT privilege only or CONNECT privilege and table access privileges only):

Example

SELECT USER_ID FROM MASTER.SQL_USERS
   WHERE DBA_PRIVILEGE = 'N' AND SCHEMA_PRIVILEGE = 'N'
     AND AUDIT_PRIVILEGE <> 'Y'

1 CONNECT privileges of DBA privilege holders and audit privilege holders cannot be deleted.

2 The CONNECT privilege of a user whose schema exists cannot be revoked. Revoking the CONNECT privilege when there is no schema also revokes the schema definition privilege. If a schema definition privilege is revoked inadvertently, grant the schema definition privilege again. Delete a schema only when it is no longer needed.

Remarks
Although HiRDB can be run without deleting the CONNECT privileges, the CONNECT privilege information will remain in the HiRDB dictionary as unnecessary information that is not used. If unneeded privilege information is left, a different user with the same ID who registers subsequently may manipulate definitions and tables using that privilege. If it is decided not to delete the CONNECT privileges, safeguard against such an occurrence by ensuring that the user information registered in Directory Server matches exactly the privilege information registered in HiRDB.