Version 2 Release 3 z/OSfile/...z/OS Version 2 Release 3 IBM Tivoli Directory Server Administration...
Transcript of Version 2 Release 3 z/OSfile/...z/OS Version 2 Release 3 IBM Tivoli Directory Server Administration...
-
z/OSVersion 2 Release 3
IBM Tivoli Directory ServerAdministration and Use for z/OS
IBM
SC23-6788-30
-
Note
Before using this information and the product it supports, read the information in “Notices” on page719.
This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications untilotherwise indicated in new editions.
Last updated: 2019-06-25
Acknowledgements
Some of the material contained in this document is a derivative of LDAP documentation provided with the University ofMichigan LDAP reference implementation (Version 3.3). Copyright © 1992-1996, Regents of the University of Michigan.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by NEC Systems Laboratory.© Copyright International Business Machines Corporation 1998, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.
-
Contents
Figures................................................................................................................ xv
Tables.................................................................................................................xix
About this document.......................................................................................... xxvIntended audience....................................................................................................................................xxvConventions used in this document......................................................................................................... xxvz/OS information.......................................................................................................................................xxv
How to send your comments to IBM.................................................................. xxviiIf you have a technical problem............................................................................................................. xxvii
Summary of changes......................................................................................... xxixz/OS Version 2 Release 3 summary of changes......................................................................................xxixz/OS Version 2 Release 2 summary of changes......................................................................................xxxiz/OS Version 2 Release 1 summary of changes.....................................................................................xxxii
Part 1. Administration........................................................................................... 1
Chapter 1. Introducing the LDAP server......................................................................................................3What is a directory service?................................................................................................................... 3What is LDAP?.........................................................................................................................................4
How is information stored in the directory? .................................................................................... 4How is the information arranged?.................................................................................................... 4How is the information referenced?................................................................................................. 5How is the information accessed?....................................................................................................6How is the information protected from unauthorized access?........................................................6
How does LDAP work?............................................................................................................................6What about X.500?................................................................................................................................. 6What are the capabilities of the z/OS LDAP server? ............................................................................. 6
Participation in multilevel security.................................................................................................11RFCs supported by z/OS LDAP....................................................................................................... 12Draft RFCs....................................................................................................................................... 13Superseded RFCs............................................................................................................................13
Chapter 2. Planning and roadmap.............................................................................................................15Planning directory content...................................................................................................................15LDAP server roadmap...........................................................................................................................15
Chapter 3. Installing and setting up related products..............................................................................17Required products................................................................................................................................17
Installing and setting up WLM (Workload Management).............................................................. 17Installing a z/OS UNIX System Services file system for the schema backend............................. 18
Optional products.................................................................................................................................18Installing and setting up Db2 for TDBM and GDBM (Db2-based).......................................................19
Getting Db2 installed and set up for CLI and ODBC ..................................................................... 19Installing RACF for SDBM and native authentication..........................................................................21Installing a z/OS UNIX System Services file system for LDBM, GDBM (file-based), and CDBM
backends......................................................................................................................................... 21
iii
-
Installing System SSL...........................................................................................................................21Installing ICSF for encryption, hashing, or SSL/TLS........................................................................... 22Installing Kerberos............................................................................................................................... 22
Chapter 4. Configuring an LDAP server using the dsconfig utility............................................................ 25Overview of the LDAP configuration utility.......................................................................................... 25
Capabilities..................................................................................................................................... 26Restrictions..................................................................................................................................... 27
Running the dsconfig utility................................................................................................................. 27dsconfig utility...................................................................................................................................... 27
Purpose........................................................................................................................................... 27Format............................................................................................................................................. 28Parameters......................................................................................................................................28Examples.........................................................................................................................................28Input file description...................................................................................................................... 28Usage notes.....................................................................................................................................29
Configuration roles and responsibilities.............................................................................................. 31Steps for configuring an LDAP server.................................................................................................. 33
Configuration confirmation.............................................................................................................36Specifying advanced configuration options with the dsconfig utility .................................................36Setting the time zone........................................................................................................................... 38
Chapter 5. Configuring an LDAP server without the dsconfig utility........................................................ 39LDAP server configuration roadmap.................................................................................................... 39Preparing for configuration variable interactions................................................................................43Setting the time zone........................................................................................................................... 44
Chapter 6. Setting up the user ID and security for the LDAP server........................................................ 45Setting up a user ID for your LDAP server........................................................................................... 45Requirements for a user ID that runs the LDAP server....................................................................... 46
Additional setup for user ID that runs the LDAP server.................................................................47Additional setup for LDAP console commands..............................................................................48Additional setup when using SDBM............................................................................................... 48Additional setup for RACF PROXY segment and SDBM.................................................................49Additional setup for sysplex........................................................................................................... 49Defining the Kerberos identity........................................................................................................49Additional setup for generating audit records............................................................................... 50Additional setup for using securityLabel option............................................................................ 50Additional setup when defining administrative roles in RACF...................................................... 50Additional setup for using SHA-2 or Salted SHA-2 hashing.......................................................... 50
Protecting the environment for the LDAP server.................................................................................50
Chapter 7. Preparing WLM, backends, sysplex, SSL/TLS, and encryption or hashing.............................53Setting up for WLM (workload management)......................................................................................53Copying the configuration files............................................................................................................ 54Creating a sample server with an LDBM backend............................................................................... 54Creating the Db2 database and table spaces for TDBM or GDBM......................................................55
Partitioning Db2 table spaces........................................................................................................ 57Range-partitioned Db2 table spaces for TDBM............................................................................. 57Partition-by-growth Db2 table spaces for TDBM or GDBM........................................................... 59
Setting up for TDBM............................................................................................................................. 60Copying a TDBM database..............................................................................................................60
Setting up for SDBM............................................................................................................................. 61Setting up for LDBM..............................................................................................................................61
Copying an LDBM backend............................................................................................................. 62Setting up for CDBM............................................................................................................................. 63Setting up for GDBM.............................................................................................................................64
Configuring file-based GDBM......................................................................................................... 64
iv
-
Configuring Db2-based GDBM........................................................................................................65Setting up for Policy Director extended operations............................................................................ 65Setting up for sysplex........................................................................................................................... 65Setting up for SSL/TLS......................................................................................................................... 67
Using SSL/TLS protected communications....................................................................................67Creating and using key databases, key rings, or PKCS #11 tokens.............................................. 68Obtaining a certificate.....................................................................................................................69Enabling SSL/TLS support.............................................................................................................. 69Setting up the security options for the LDAP server...................................................................... 69Setting up an LDAP client............................................................................................................... 74Using LDAP client APIs to access LDAP using SSL/TLS.................................................................75Support of certificate bind..............................................................................................................75
Configuring for encryption or hashing..................................................................................................75One-way hashing formats...............................................................................................................75Two-way encryption formats .........................................................................................................76Symmetric encryption keys............................................................................................................ 77
Configuring for user and administrator password encryption or hashing.......................................... 77Configuring for secret encryption........................................................................................................ 79Configuring for securityLabel option....................................................................................................80
Chapter 8. Customizing the LDAP server configuration............................................................................81Creating the ds.conf file....................................................................................................................... 81
Locating ds.conf.............................................................................................................................. 81Configuration file format.................................................................................................................81Specifying a value for filename...................................................................................................... 83Specifying a value for a distinguished name..................................................................................83Configuration file checklist ............................................................................................................ 84
Configuration file options..................................................................................................................... 88Deprecated options...................................................................................................................... 134
CDBM backend configuration and policy entries.............................................................................. 134cn=configuration...........................................................................................................................135cn=Replication,cn=configuration................................................................................................. 137cn=Log Management,cn=Configuration....................................................................................... 139cn=Replication,cn=Log Management,cn=Configuration............................................................. 139cn=admingroup,cn=configuration................................................................................................140cn=safadmingroup,cn=configuration...........................................................................................140cn=ibmpolicies..............................................................................................................................140cn=pwdpolicy,cn=ibmpolicies......................................................................................................140
Configuration considerations ............................................................................................................140Configuring the operational mode .................................................................................................... 142
Single-server mode...................................................................................................................... 144Multiple single-server mode........................................................................................................ 144Multi-server mode........................................................................................................................ 144PC callable support mode............................................................................................................ 146
Establishing the root administrator DN and basic replication replica server DN and passwords... 147Example configuration scenarios.......................................................................................................149
Configuring a TDBM backend with SSL/TLS and password encryption or hashing.................... 149Configuring SDBM and GDBM (Db2-based) backends................................................................ 150Configuring SDBM and TDBM backends...................................................................................... 150Configuring LDBM with native authentication and GDBM (file-based) backends.......................150Configuring LDBM and CDBM backends with advanced replication and password policy.........151Configuring an EXOP backend......................................................................................................151
Chapter 9. Administrative group and roles............................................................................................. 153Administrative roles........................................................................................................................... 153Enabling the administrative group and roles.....................................................................................157Defining administrative group and roles............................................................................................157
Administrative roles defined in LDAP...........................................................................................157
v
-
Administrative roles defined in RACF.......................................................................................... 159Administrative group member examples.......................................................................................... 160Administrative roles and extended operations................................................................................. 161Administrative group and roles-related extended operation........................................................... 162User type extended operation examples.......................................................................................... 162
Chapter 10. Running the LDAP server.....................................................................................................165Setting up the PDSE for the LDAP server DLLs ................................................................................. 165Setting up and running the LDAP server............................................................................................165
Defining the started task for the LDAP server .............................................................................165Running the LDAP server using the sample JCL ......................................................................... 165LDAP server messages and debug output .................................................................................. 169Running the LDAP server using data sets.................................................................................... 169
Verifying the LDAP server.................................................................................................................. 170Finalizing setup of LDAP backends....................................................................................................171Environment variables used by the LDAP server.............................................................................. 172Dynamic debugging............................................................................................................................175CTRACE in-memory trace records..................................................................................................... 175
Viewing LDAP server CTRACE output...........................................................................................176Displaying performance information and server settings.................................................................177
Size limitations..............................................................................................................................185Activity logging................................................................................................................................... 186
Configuring the activity log support............................................................................................. 188LDAP SMF auditing............................................................................................................................. 192
Auditing events............................................................................................................................. 192Working with audit records.......................................................................................................... 193
Monitoring LDAP server resources.................................................................................................... 194Server backends and plug-ins during startup..............................................................................194Db2................................................................................................................................................194Network communications............................................................................................................ 194Client connections........................................................................................................................ 195File system....................................................................................................................................195LDAP server abnormal termination..............................................................................................195
Health checks supported by the LDAP server................................................................................... 196TDS-Db2 Health Check.................................................................................................................196TDS-CONFIG Health Check.......................................................................................................... 197
LDAP server operator commands......................................................................................................197
Chapter 11. Migrating to z/OS................................................................................................................. 199Actions required for migrations from previous releases of z/OS......................................................199Fallback from a TDBM or Db2-based GDBM backend in z/OS IBM TDS to an earlier z/OS IBM
TDS version................................................................................................................................... 199LDAP_COMPAT_FLAGS environment variable................................................................................... 200Updating LDAP configurations settings in a sysplex without server outage.................................... 201Checking file ownership for the LDAP server.................................................................................... 203Migration roadmap............................................................................................................................. 203
z/OS Version 2 Release 3 update summary.................................................................................203z/OS Version 2 Release 2 update summary.................................................................................208
Chapter 12. Running and using the LDAP server utilities.......................................................................211Running the LDAP server utilities in the z/OS shell...........................................................................211Running the LDAP server utilities from JCL.......................................................................................212Running the LDAP server utilities in TSO...........................................................................................212SSL/TLS information for LDAP utilities.............................................................................................. 213
Using RACF key rings.................................................................................................................... 214Using PKCS #11 tokens................................................................................................................215Using a Java keystore or RACF key ring for ldapdiff.................................................................... 215
Server utilities.................................................................................................................................... 215
vi
-
db2pwden utility...........................................................................................................................215ds2ldif utility................................................................................................................................. 218ldif2ds utility................................................................................................................................. 228ldapdiff utility................................................................................................................................238ldapexop utility............................................................................................................................. 246
Chapter 13. Globalization support.......................................................................................................... 257Translated messages......................................................................................................................... 257UTF-8 support.................................................................................................................................... 257
Part 2. Use.........................................................................................................259
Chapter 14. Data model ..........................................................................................................................261Relative distinguished names ........................................................................................................... 261Distinguished name syntax................................................................................................................262
Domain component naming......................................................................................................... 262RACF-style distinguished names................................................................................................. 262
Chapter 15. LDAP directory schema....................................................................................................... 265Setting up the schema for LDBM, TDBM, and CDBM........................................................................ 265Schema introduction..........................................................................................................................266
Schema attribute syntax...............................................................................................................274LDAP schema attributes............................................................................................................... 276
Defining new schema elements.........................................................................................................285Updating the schema......................................................................................................................... 286
Changing the initial schema......................................................................................................... 287Replacing individual schema values............................................................................................ 287Updating a numeric object identifier (NOID)............................................................................... 288Analyzing schema errors.............................................................................................................. 289
Retrieving the schema .......................................................................................................................289Displaying the schema entry........................................................................................................ 290Finding the subschemaSubentry DN........................................................................................... 290
Chapter 16. Modify DN operations..........................................................................................................291Modify DN operation syntax...............................................................................................................291Considerations in the use of Modify DN operations..........................................................................295Eligibility of entries for rename..........................................................................................................296Concurrency considerations between Modify DN operations and other LDAP operations............. 297Access control and ownership...........................................................................................................297Relocating an entry............................................................................................................................ 299Relocating an entry with DN realignment requested........................................................................ 299Access control changes..................................................................................................................... 299Ownership changes............................................................................................................................302Modify DN operations related to suffix DNs...................................................................................... 302
Scenario constraints..................................................................................................................... 302Example scenarios........................................................................................................................303
Modify DN operations and replication............................................................................................... 308Initial validation of compatible server versions in consumer and replica servers..................... 309Periodic validation of compatible server versions in basic replication replicas......................... 309Loss of basic replication synchronization because of incompatible replica server versions..... 310Loss of basic replication synchronization because of incompatible replica server versions -
recovery................................................................................................................................... 310
Chapter 17. Accessing RACF information............................................................................................... 311SDBM authorization........................................................................................................................... 311Binding using a RACF user ID and password or password phrase................................................... 312
Binding with SDBM using password policy.................................................................................. 313
vii
-
SDBM group gathering ...................................................................................................................... 313Associating LDAP attributes to RACF fields.......................................................................................313
Associating LDAP attributes to RACF fixed fields........................................................................ 313Associating LDAP attributes to RACF custom fields....................................................................323
Special usage of racfAttributes, racfConnectAttributes, racfResourceAttributes, andracfSetroptsAttributes ................................................................................................................. 324
RACF namespace entries...................................................................................................................325SDBM schema information...........................................................................................................326SDBM support for special characters...........................................................................................326
Control of access to RACF data..........................................................................................................327SDBM operational behavior............................................................................................................... 327
SDBM search capabilities............................................................................................................. 336Retrieving RACF user password and password phrase envelopes............................................. 344Changing a user password or password phrase in RACF using SDBM........................................ 345Using LDAP client utilities with SDBM..........................................................................................346Deleting attributes........................................................................................................................349
Chapter 18. Password policy...................................................................................................................351Password policy entries..................................................................................................................... 351Activating password policy................................................................................................................ 352Password policy attributes................................................................................................................ 352Password policy evaluation............................................................................................................... 360
Evaluation of a user's individual and composite group password policy....................................361Effective password policy examples............................................................................................363
Password policy operational attributes.............................................................................................364PasswordPolicy control......................................................................................................................366Replicating password policy operational attributes..........................................................................368Password policy related extended operations.................................................................................. 369Overriding password policy and unlocking accounts........................................................................369Unlocking or unexpiring the account of the LDAP root administrator (adminDN)........................... 371Password policy examples.................................................................................................................371
Global password policy example................................................................................................. 371Group password policy example.................................................................................................. 372Individual password policy example............................................................................................373Effective password policy extended operation example.............................................................374Account status extended operation example..............................................................................374
Changing password values when pwdsafemodify is set to true....................................................... 374
Chapter 19. Kerberos authentication......................................................................................................377Setting up for Kerberos...................................................................................................................... 377Schema for Kerberos..........................................................................................................................378Identity mapping................................................................................................................................379
Default mapping........................................................................................................................... 379SDBM mapping............................................................................................................................. 380
Configuring access control.................................................................................................................380Example of setting up a Kerberos directory...................................................................................... 382Kerberos operating environments..................................................................................................... 384
Chapter 20. Native authentication.......................................................................................................... 387Initializing native authentication....................................................................................................... 387Schema for native authentication......................................................................................................387Defining participation in native authentication................................................................................. 388Binding with native authentication....................................................................................................388Updating native passwords and password phrases..........................................................................390
Updating native passwords or password phrases during bind....................................................390Password policy with native authentication......................................................................................391Example of setting up native authentication.....................................................................................391Using native authentication with web servers.................................................................................. 395
viii
-
Chapter 21. CRAM-MD5 and DIGEST-MD5 authentication....................................................................397DIGEST-MD5 bind mechanism restrictions in the z/OS LDAP server .............................................. 397Considerations for setting up a TDBM, LDBM, or CDBM backend for CRAM-MD5 and DIGEST-
MD5 authentication.......................................................................................................................397CRAM-MD5 and DIGEST-MD5 configuration option....................................................................398Example of setting up for CRAM-MD5 and DIGEST-MD5............................................................399
Chapter 22. Using extended operations to access Policy Director data................................................ 401GetDnForUserid extended operation.................................................................................................401GetPrivileges extended operation..................................................................................................... 401
Chapter 23. Static, dynamic, and nested groups....................................................................................403Static groups...................................................................................................................................... 403Dynamic groups..................................................................................................................................403
Dynamic group search filter examples.........................................................................................404Nested groups.................................................................................................................................... 405Determining group membership........................................................................................................405
Displaying group membership..................................................................................................... 406ACL restrictions on displaying group membership......................................................................406ACL restrictions on group gathering.............................................................................................406
Managing group search limits............................................................................................................406Creating group search limits........................................................................................................ 407Enabling group search limit processing....................................................................................... 407Using the limits from search limit groups.................................................................................... 407
Group examples................................................................................................................................. 408Examples of adding, modifying, and deleting group entries....................................................... 408Examples of querying group membership................................................................................... 410
Chapter 24. Using access control............................................................................................................417Access control attributes................................................................................................................... 417
aclEntry attribute..........................................................................................................................418aclPropagate attribute..................................................................................................................422aclSource attribute....................................................................................................................... 422entryOwner attribute.................................................................................................................... 422ownerPropagate attribute............................................................................................................ 423ownerSource attribute..................................................................................................................423
ACL filters........................................................................................................................................... 424Initializing ACLs with TDBM or LDBM................................................................................................ 425Default ACLs with LDBM or TDBM..................................................................................................... 426Initializing ACLs with GDBM...............................................................................................................426Initializing ACLs with CDBM...............................................................................................................426Initializing ACLs with schema entry...................................................................................................427Access determination........................................................................................................................ 427
Access determination examples.................................................................................................. 430Search........................................................................................................................................... 433Filter.............................................................................................................................................. 433Compare........................................................................................................................................433Requested attributes ................................................................................................................... 433
Querying effective permissions......................................................................................................... 433Propagating ACLs............................................................................................................................... 436
Example of propagation............................................................................................................... 436Examples of overrides.................................................................................................................. 437Other examples............................................................................................................................ 437
Access control groups........................................................................................................................438Associating DNs, access groups, and additional bind and directory entry access information
with a bound user .........................................................................................................................438Deleting a user or a group..................................................................................................................439
ix
-
Retrieving ACL information from the server...................................................................................... 440Creating and managing access controls............................................................................................440
Creating an ACL.............................................................................................................................440Modifying an ACL.......................................................................................................................... 442Deleting an ACL.............................................................................................................................444Creating an owner for an entry.....................................................................................................444Modifying an owner for an entry...................................................................................................445Deleting an owner for an entry.....................................................................................................447Creating a group for use in ACLs and entry owner settings.........................................................447
Chapter 25. Basic replication.................................................................................................................. 449Basic replication in a sysplex.............................................................................................................449ibm-entryuuid replication.................................................................................................................. 450Complex modify DN replication......................................................................................................... 450Basic replication and ldif2ds............................................................................................................. 450Data encryption or hashing and basic replication.............................................................................450Replicating server.............................................................................................................................. 451
Replica entries.............................................................................................................................. 451Adding replica entries in TDBM or LDBM...........................................................................................454
Searching a replica entry..............................................................................................................455Displaying basic replication status...............................................................................................455
Basic replication maintenance mode................................................................................................ 455Replica server.....................................................................................................................................456
Populating a replica...................................................................................................................... 456Configuring the replica................................................................................................................. 456LDAP update operations on read-only replicas........................................................................... 457
Changing a read-only replica to a master..........................................................................................458Basic peer to peer replication ...........................................................................................................458
Server configuration..................................................................................................................... 459Basic replication conflict resolution.............................................................................................459
Adding a peer replica to an existing server....................................................................................... 459Upgrading a read-only replica to be a peer replica of the master server......................................... 459Downgrading a peer server to read-only replica...............................................................................460SSL/TLS and basic replication........................................................................................................... 460
Replica server with SSL/TLS enablement....................................................................................460Replicating server with SSL/TLS enablement..............................................................................460
Basic replication error log..................................................................................................................461Troubleshooting basic replication..................................................................................................... 462
Recovering from basic replication out-of-sync conditions .........................................................463
Chapter 26. Advanced replication...........................................................................................................465Advanced replication terminology.....................................................................................................465Replication topology.......................................................................................................................... 467Advanced replication overview..........................................................................................................468
Master-replica replication............................................................................................................ 468Forwarding (cascading) replication .............................................................................................469Peer-to-peer replication...............................................................................................................469Gateway replication......................................................................................................................470
Advanced replication features...........................................................................................................471Partial replication......................................................................................................................... 471Replication scheduling................................................................................................................. 471Replication conflict resolution..................................................................................................... 471
Enabling advanced replication...........................................................................................................472Supplier server entries.......................................................................................................................473
Replication contexts..................................................................................................................... 473Replica groups.............................................................................................................................. 474Replica subentries........................................................................................................................ 474Replication agreements................................................................................................................475
x
-
Credentials entries....................................................................................................................... 478Schedule entries...........................................................................................................................480
Consumer server entries....................................................................................................................484Things to consider before configuring advanced replication............................................................488Advanced replication configuration examples.................................................................................. 489
Suppliers and consumers.............................................................................................................489Server ID....................................................................................................................................... 490Advanced replication related entries summary...........................................................................490Creating a master-replica topology..............................................................................................492Creating a peer-to-peer replication topology.............................................................................. 495Creating a master-forwarder-replica (cascading) topology........................................................ 499Creating a gateway topology........................................................................................................ 504
Replication topology hints and tips................................................................................................... 509Replication of schema and password policy updates.......................................................................510Protecting replication topology entries............................................................................................. 510Unconfiguring advanced replication.................................................................................................. 510Advanced replication maintenance mode.........................................................................................511Partial replication............................................................................................................................... 512
Replication filter examples...........................................................................................................513SSL/TLS and advanced replication.................................................................................................... 514
Replica server with SSL/TLS enablement ................................................................................... 514Replicating server with SSL/TLS enablement..............................................................................514
Displaying advanced replication configuration................................................................................. 515Command line tasks for managing replication..................................................................................516
Advanced replication related extended operations.................................................................... 516Viewing replication configuration information.............................................................................517
Monitoring and diagnosing advanced replication problems.............................................................518Recovering from advanced replication errors..............................................................................521Advanced replication error recovery example.............................................................................524
Chapter 27. Alias..................................................................................................................................... 529Impact of aliasing on search performance........................................................................................529Alias entry ..........................................................................................................................................529
Alias entry rules............................................................................................................................ 530Dereferencing an alias....................................................................................................................... 530
Dereferencing during search........................................................................................................ 531Alias examples................................................................................................................................... 532
Chapter 28. Change logging.................................................................................................................... 537Configuring the GDBM backend.........................................................................................................537
Configuring a Db2-based GDBM backend....................................................................................538Configuring a file-based GDBM backend..................................................................................... 538
Additional required configuration......................................................................................................538When changes are logged.................................................................................................................. 539
RACF changes............................................................................................................................... 539TDBM, LDBM, CDBM, and schema changes.................................................................................539
Change log schema............................................................................................................................ 539Change log entries..............................................................................................................................540Searching the change log...................................................................................................................541Passwords in change log entries....................................................................................................... 542Unloading and loading the change log.............................................................................................. 542Trimming the change log....................................................................................................................542Change log information in the root DSE entry................................................................................... 542Multi-server considerations...............................................................................................................542How to set up and use the LDAP server for logging changes............................................................543
Chapter 29. Referrals.............................................................................................................................. 547Using the referral object class and the ref attribute......................................................................... 547
xi
-
Creating referral entries............................................................................................................... 547Associating servers with referrals .................................................................................................... 548
Pointing to other servers.............................................................................................................. 548Defining the default referral......................................................................................................... 549
Processing referrals........................................................................................................................... 549Using LDAP Version 2 referrals.....................................................................................................550Using LDAP Version 3 referrals.....................................................................................................550Bind considerations for referrals..................................................................................................551
Example: Associating servers through referrals and basic replication............................................ 551
Chapter 30. Client considerations...........................................................................................................557Root DSE.............................................................................................................................................557
Root DSE search with base scope................................................................................................557Root DSE search with subtree scope (Null-based subtree search)............................................ 562
Monitor support..................................................................................................................................563UTF-8 data over the LDAP Version 2 protocol...................................................................................563Attribute types stored and returned in lowercase............................................................................ 563Abandon behavior.............................................................................................................................. 563
Chapter 31. Performance tuning.............................................................................................................565Overview.............................................................................................................................................565General LDAP server performance considerations........................................................................... 565
Threads......................................................................................................................................... 565Debug settings.............................................................................................................................. 565Storage in the LDAP address space............................................................................................. 565LDAP server cache tuning.............................................................................................................565Operations monitor.......................................................................................................................566Workload manager (WLM)............................................................................................................ 567
Password policy considerations........................................................................................................ 570LDBM performance considerations................................................................................................... 570
Storage in the LDAP address space for LDBM data..................................................................... 571LDAP server initialization time with LDBM...................................................................................571Database commit processing.......................................................................................................571DASD space for LDBM data.......................................................................................................... 572Sample LDBM benchmark data....................................................................................................572
CDBM performance considerations...................................................................................................573TDBM performance considerations................................................................................................... 573
Db2 tuning.....................................................................................................................................573TDBM database tuning................................................................................................................. 575
Monitoring performance with cn=monitor........................................................................................ 576Monitor search examples............................................................................................................. 583
User groups considerations in large directories................................................................................585Large static groups considerations.............................................................................................. 586Dynamic groups memberURL filter indexing considerations...................................................... 587Warning regarding Db2 logging of large static group updates.................................................... 589LE heap pools considerations...................................................................................................... 589Tuning LE heap and heap pools....................................................................................................590
Paged search considerations.............................................................................................................590Sorted search considerations............................................................................................................ 591GDBM (Changelog) performance considerations..............................................................................592SDBM performance considerations...................................................................................................593
Appendix A. Initial LDAP server schema.............................................................595
Appendix B. SPUFI files..................................................................................... 623The DSTDBMDB SPUFI file...................................................................................................................... 623The TDBMMGRT SPUFI file .....................................................................................................................633
xii
-
Appendix C. Supported server controls.............................................................. 643authenticateOnly..................................................................................................................................... 643Do Not Replicate...................................................................................................................................... 643IBMLdapProxyControl............................................................................................................................. 643IBMModifyDNRealignDNAttributesControl.............................................................................................644IBMModifyDNTimelimitControl...............................................................................................................645IBMSchemaReplaceByValueControl.......................................................................................................645manageDsaIT...........................................................................................................................................646No Replication Conflict Resolution..........................................................................................................646pagedResults........................................................................................................................................... 647PasswordPolicy........................................................................................................................................648PersistentSearch......................................................................................................................................648Refresh Entry........................................................................................................................................... 651replicateOperationalAttributes............................................................................................................... 651Replication bind failure time stamp control............................................................................................652Replication Supplier ID Bind................................................................................................................... 653Server Administration..............................................................................................................................653SortKeyRequest....................................................................................................................................... 654SortKeyResponse.....................................................................................................................................655
Appendix D. Supported extended operations...................................................... 657Account status......................................................................................................................................... 657Cascading control replication..................................................................................................................658changeLogAddEntry................................................................................................................................ 660Control replication................................................................................................................................... 662Control replication error log.................................................................................................................... 663Control replication queue........................................................................................................................665Effective password policy........................................................................................................................666GetDnForUserid....................................................................................................................................... 667GetEffectiveACL....................................................................................................................................... 668GetPrivileges............................................................................................................................................671Quiesce or unquiesce context................................................................................................................. 672Remote auditing.......................................................................................................................................673Remote authorization.............................................................................................................................. 673RemoteCryptoCCA...................................................................................................................................674RemoteCryptoPKCS#11..........................................................................................................................674Replication topology................................................................................................................................674Start TLS...................................................................................................................................................676unloadRequest.........................................................................................................................................677User type..................................................................................................................................................678
Appendix E. SMF records................................................................................... 681SMF Record Type 83, subtype 3 records................................................................................................ 681RACF SMF unload utility output.............................................................................................................. 685
Appendix F. Activity log records......................................................................... 695Activity log start and end field descriptions............................................................................................695
Activity log mergedRecord field descriptions....................................................................................698
Appendix G. Guidelines for interoperability between non-z/OS TDS and z/OSTDS............................................................................................................... 703Schema considerations........................................................................................................................... 703Import or export of directory entries...................................................................................................... 705Functional considerations....................................................................................................................... 705Administrative group and roles considerations...................................................................................... 706
xiii
-
Appendix H. Searching operational attributes.....................................................707
Appendix I. Accessibility................................................................................... 715Accessibility features.............................................................................................................................. 715Consult assistive technologies................................................................................................................ 715Keyboard navigation of the user interface.............................................................................................. 715Dotted decimal syntax diagrams.............................................................................................................715
Notices..............................................................................................................719Terms and conditions for product documentation................................................................................. 720IBM Online Privacy Statement................................................................................................................ 721Policy for unsupported hardware............................................................................................................721Minimum supported hardware................................................................................................................722Trademarks.............................................................................................................................................. 722
......................................................................................................................... 723
Index................................................................................................................ 731
xiv
-
Figures
1. Directory hierarchy example......................................................................................................................... 5
2. Sample DSNAOINI file ............................................................................................................................... 21
3. Overview of the LDAP configuration utility ................................................................................................ 26
4. Sample portion of ds.profile........................................................................................................................29
5. LDAP configuration utility roles and responsibilities .................................................................................33
6. General format of ds.conf........................................................................................................................... 82
7. GDG JCL example......................................................................................................................................189
8. Sample schema entry............................................................................................................................... 266
9. Before Modify DN operation..................................................................................................................... 292
10. After Modify DN operation...................................................................................................................... 293
11. Before Modify DN operation................................................................................................................... 293
12. After Modify DN operation...................................................................................................................... 294
13. Before Modify DN operation................................................................................................................... 294
14. After Modify DN operation...................................................................................................................... 295
15. Before Modify DN operation................................................................................................................... 300
16. After Modify DN operation...................................................................................................................... 301
17. Suffix rename with no new superior.......................................................................................................303
18. Suffix rename with new superior............................................................................................................304
19. Overlapping suffix rename A.................................................................................................................. 305
20. Overlapping suffix rename B.................................................................................................................. 306
21. Suffix rename to non-suffix entry...........................................................................................................307
22. Rename non-suffix entry to suffix entry.................................................................................................308
23. RACF namespace hierarchy (Part 1 of 2)............................................................................................... 325
xv
-
24. RACF namespace hierarchy (Part 2 of 2)............................................................................................... 326
25. Kerberos directory example................................................................................................................... 383
26. Native authentication example.............................................................................................................. 392
27. CRAM-MD5 and DIGEST-MD5 authentication example........................................................................ 399
28. Group hierarchy and membership for the examples............................................................................. 410
29. Example of adding propagating ACL to existing entry in directory........................................................441
30. Example of adding propagating ACL to existing entry in the directory................................................. 441
31. Example of setting up a non-propagating ACL ......................................................................................442
32. Example of adding an aclEntry attribute value...................................................................................... 443
33. Example of modifying aclPropagate attribute........................................................................................443
34. Example of removing a single aclEntry attribute value......................................................................... 443
35. Example of deleting an ACL from an entry.............................................................................................444
36. Example of adding a propagating set of entry owners to existing entry in the directory..................... 445
37. Example of setting up a non-propagating entry owner......................................................................... 445
38. Example of adding an entryOwner attribute value................................................................................ 446
39. Example of modifying the ownerPropagate attribute............................................................................446
40. Example of removing a single entryOwner Attribute value................................................................... 447
41. Example of deleting an entry owner set from an entry..........................................................................447
42. Example of adding a group to access control information.................................................................... 448
43. Example of adding a group to entry owner information........................................................................ 448
44. Master-replica replication ......................................................................................................................469
45. Cascading replication .............................................................................................................................469
46. Peer-to-peer replication ........................................................................................................................ 470
47. Gateway replication................................................................................................................................ 471
48. Master-replica topology..........................................................................................................................492
xvi
-
49. Peer-to-peer topology.............................