z/OSVersion 2 Release 3

IBM Tivoli Directory ServerAdministration and Use for z/OS

IBM

SC23-6788-30

Note

Before using this information and the product it supports, read the information in “Notices” on page719.

This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications untilotherwise indicated in new editions.

Last updated: 2019-06-25

Acknowledgements

Some of the material contained in this document is a derivative of LDAP documentation provided with the University ofMichigan LDAP reference implementation (Version 3.3). Copyright © 1992-1996, Regents of the University of Michigan.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by NEC Systems Laboratory.© Copyright International Business Machines Corporation 1998, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

Figures................................................................................................................ xv

Tables.................................................................................................................xix

About this document.......................................................................................... xxvIntended audience....................................................................................................................................xxvConventions used in this document......................................................................................................... xxvz/OS information.......................................................................................................................................xxv

How to send your comments to IBM.................................................................. xxviiIf you have a technical problem............................................................................................................. xxvii

Summary of changes......................................................................................... xxixz/OS Version 2 Release 3 summary of changes......................................................................................xxixz/OS Version 2 Release 2 summary of changes......................................................................................xxxiz/OS Version 2 Release 1 summary of changes.....................................................................................xxxii

Part 1. Administration........................................................................................... 1

Chapter 1. Introducing the LDAP server......................................................................................................3What is a directory service?................................................................................................................... 3What is LDAP?.........................................................................................................................................4

How is information stored in the directory? .................................................................................... 4How is the information arranged?.................................................................................................... 4How is the information referenced?................................................................................................. 5How is the information accessed?....................................................................................................6How is the information protected from unauthorized access?........................................................6

How does LDAP work?............................................................................................................................6What about X.500?................................................................................................................................. 6What are the capabilities of the z/OS LDAP server? ............................................................................. 6

Participation in multilevel security.................................................................................................11RFCs supported by z/OS LDAP....................................................................................................... 12Draft RFCs....................................................................................................................................... 13Superseded RFCs............................................................................................................................13

Chapter 2. Planning and roadmap.............................................................................................................15Planning directory content...................................................................................................................15LDAP server roadmap...........................................................................................................................15

Chapter 3. Installing and setting up related products..............................................................................17Required products................................................................................................................................17

Installing and setting up WLM (Workload Management).............................................................. 17Installing a z/OS UNIX System Services file system for the schema backend............................. 18

Optional products.................................................................................................................................18Installing and setting up Db2 for TDBM and GDBM (Db2-based).......................................................19

Getting Db2 installed and set up for CLI and ODBC ..................................................................... 19Installing RACF for SDBM and native authentication..........................................................................21Installing a z/OS UNIX System Services file system for LDBM, GDBM (file-based), and CDBM

backends......................................................................................................................................... 21

iii

Installing System SSL...........................................................................................................................21Installing ICSF for encryption, hashing, or SSL/TLS........................................................................... 22Installing Kerberos............................................................................................................................... 22

Chapter 4. Configuring an LDAP server using the dsconfig utility............................................................ 25Overview of the LDAP configuration utility.......................................................................................... 25

Capabilities..................................................................................................................................... 26Restrictions..................................................................................................................................... 27

Running the dsconfig utility................................................................................................................. 27dsconfig utility...................................................................................................................................... 27

Purpose........................................................................................................................................... 27Format............................................................................................................................................. 28Parameters......................................................................................................................................28Examples.........................................................................................................................................28Input file description...................................................................................................................... 28Usage notes.....................................................................................................................................29

Configuration roles and responsibilities.............................................................................................. 31Steps for configuring an LDAP server.................................................................................................. 33

Configuration confirmation.............................................................................................................36Specifying advanced configuration options with the dsconfig utility .................................................36Setting the time zone........................................................................................................................... 38

Chapter 5. Configuring an LDAP server without the dsconfig utility........................................................ 39LDAP server configuration roadmap.................................................................................................... 39Preparing for configuration variable interactions................................................................................43Setting the time zone........................................................................................................................... 44

Chapter 6. Setting up the user ID and security for the LDAP server........................................................ 45Setting up a user ID for your LDAP server........................................................................................... 45Requirements for a user ID that runs the LDAP server....................................................................... 46

Additional setup for user ID that runs the LDAP server.................................................................47Additional setup for LDAP console commands..............................................................................48Additional setup when using SDBM............................................................................................... 48Additional setup for RACF PROXY segment and SDBM.................................................................49Additional setup for sysplex........................................................................................................... 49Defining the Kerberos identity........................................................................................................49Additional setup for generating audit records............................................................................... 50Additional setup for using securityLabel option............................................................................ 50Additional setup when defining administrative roles in RACF...................................................... 50Additional setup for using SHA-2 or Salted SHA-2 hashing.......................................................... 50

Protecting the environment for the LDAP server.................................................................................50

Chapter 7. Preparing WLM, backends, sysplex, SSL/TLS, and encryption or hashing.............................53Setting up for WLM (workload management)......................................................................................53Copying the configuration files............................................................................................................ 54Creating a sample server with an LDBM backend............................................................................... 54Creating the Db2 database and table spaces for TDBM or GDBM......................................................55

Partitioning Db2 table spaces........................................................................................................ 57Range-partitioned Db2 table spaces for TDBM............................................................................. 57Partition-by-growth Db2 table spaces for TDBM or GDBM........................................................... 59

Setting up for TDBM............................................................................................................................. 60Copying a TDBM database..............................................................................................................60

Setting up for SDBM............................................................................................................................. 61Setting up for LDBM..............................................................................................................................61

Copying an LDBM backend............................................................................................................. 62Setting up for CDBM............................................................................................................................. 63Setting up for GDBM.............................................................................................................................64

Configuring file-based GDBM......................................................................................................... 64

iv

Configuring Db2-based GDBM........................................................................................................65Setting up for Policy Director extended operations............................................................................ 65Setting up for sysplex........................................................................................................................... 65Setting up for SSL/TLS......................................................................................................................... 67

Using SSL/TLS protected communications....................................................................................67Creating and using key databases, key rings, or PKCS #11 tokens.............................................. 68Obtaining a certificate.....................................................................................................................69Enabling SSL/TLS support.............................................................................................................. 69Setting up the security options for the LDAP server...................................................................... 69Setting up an LDAP client............................................................................................................... 74Using LDAP client APIs to access LDAP using SSL/TLS.................................................................75Support of certificate bind..............................................................................................................75

Configuring for encryption or hashing..................................................................................................75One-way hashing formats...............................................................................................................75Two-way encryption formats .........................................................................................................76Symmetric encryption keys............................................................................................................ 77

Configuring for user and administrator password encryption or hashing.......................................... 77Configuring for secret encryption........................................................................................................ 79Configuring for securityLabel option....................................................................................................80

Chapter 8. Customizing the LDAP server configuration............................................................................81Creating the ds.conf file....................................................................................................................... 81

Locating ds.conf.............................................................................................................................. 81Configuration file format.................................................................................................................81Specifying a value for filename...................................................................................................... 83Specifying a value for a distinguished name..................................................................................83Configuration file checklist ............................................................................................................ 84

Configuration file options..................................................................................................................... 88Deprecated options...................................................................................................................... 134

CDBM backend configuration and policy entries.............................................................................. 134cn=configuration...........................................................................................................................135cn=Replication,cn=configuration................................................................................................. 137cn=Log Management,cn=Configuration....................................................................................... 139cn=Replication,cn=Log Management,cn=Configuration............................................................. 139cn=admingroup,cn=configuration................................................................................................140cn=safadmingroup,cn=configuration...........................................................................................140cn=ibmpolicies..............................................................................................................................140cn=pwdpolicy,cn=ibmpolicies......................................................................................................140

Configuration considerations ............................................................................................................140Configuring the operational mode .................................................................................................... 142

Single-server mode...................................................................................................................... 144Multiple single-server mode........................................................................................................ 144Multi-server mode........................................................................................................................ 144PC callable support mode............................................................................................................ 146

Establishing the root administrator DN and basic replication replica server DN and passwords... 147Example configuration scenarios.......................................................................................................149

Configuring a TDBM backend with SSL/TLS and password encryption or hashing.................... 149Configuring SDBM and GDBM (Db2-based) backends................................................................ 150Configuring SDBM and TDBM backends...................................................................................... 150Configuring LDBM with native authentication and GDBM (file-based) backends.......................150Configuring LDBM and CDBM backends with advanced replication and password policy.........151Configuring an EXOP backend......................................................................................................151

Chapter 9. Administrative group and roles............................................................................................. 153Administrative roles........................................................................................................................... 153Enabling the administrative group and roles.....................................................................................157Defining administrative group and roles............................................................................................157

Administrative roles defined in LDAP...........................................................................................157

v

Administrative roles defined in RACF.......................................................................................... 159Administrative group member examples.......................................................................................... 160Administrative roles and extended operations................................................................................. 161Administrative group and roles-related extended operation........................................................... 162User type extended operation examples.......................................................................................... 162

Chapter 10. Running the LDAP server.....................................................................................................165Setting up the PDSE for the LDAP server DLLs ................................................................................. 165Setting up and running the LDAP server............................................................................................165

Defining the started task for the LDAP server .............................................................................165Running the LDAP server using the sample JCL ......................................................................... 165LDAP server messages and debug output .................................................................................. 169Running the LDAP server using data sets.................................................................................... 169

Verifying the LDAP server.................................................................................................................. 170Finalizing setup of LDAP backends....................................................................................................171Environment variables used by the LDAP server.............................................................................. 172Dynamic debugging............................................................................................................................175CTRACE in-memory trace records..................................................................................................... 175

Viewing LDAP server CTRACE output...........................................................................................176Displaying performance information and server settings.................................................................177

Size limitations..............................................................................................................................185Activity logging................................................................................................................................... 186

Configuring the activity log support............................................................................................. 188LDAP SMF auditing............................................................................................................................. 192

Auditing events............................................................................................................................. 192Working with audit records.......................................................................................................... 193

Monitoring LDAP server resources.................................................................................................... 194Server backends and plug-ins during startup..............................................................................194Db2................................................................................................................................................194Network communications............................................................................................................ 194Client connections........................................................................................................................ 195File system....................................................................................................................................195LDAP server abnormal termination..............................................................................................195

Health checks supported by the LDAP server................................................................................... 196TDS-Db2 Health Check.................................................................................................................196TDS-CONFIG Health Check.......................................................................................................... 197

LDAP server operator commands......................................................................................................197

Chapter 11. Migrating to z/OS................................................................................................................. 199Actions required for migrations from previous releases of z/OS......................................................199Fallback from a TDBM or Db2-based GDBM backend in z/OS IBM TDS to an earlier z/OS IBM

TDS version................................................................................................................................... 199LDAP_COMPAT_FLAGS environment variable................................................................................... 200Updating LDAP configurations settings in a sysplex without server outage.................................... 201Checking file ownership for the LDAP server.................................................................................... 203Migration roadmap............................................................................................................................. 203

z/OS Version 2 Release 3 update summary.................................................................................203z/OS Version 2 Release 2 update summary.................................................................................208

Chapter 12. Running and using the LDAP server utilities.......................................................................211Running the LDAP server utilities in the z/OS shell...........................................................................211Running the LDAP server utilities from JCL.......................................................................................212Running the LDAP server utilities in TSO...........................................................................................212SSL/TLS information for LDAP utilities.............................................................................................. 213

Using RACF key rings.................................................................................................................... 214Using PKCS #11 tokens................................................................................................................215Using a Java keystore or RACF key ring for ldapdiff.................................................................... 215

Server utilities.................................................................................................................................... 215

vi

db2pwden utility...........................................................................................................................215ds2ldif utility................................................................................................................................. 218ldif2ds utility................................................................................................................................. 228ldapdiff utility................................................................................................................................238ldapexop utility............................................................................................................................. 246

Chapter 13. Globalization support.......................................................................................................... 257Translated messages......................................................................................................................... 257UTF-8 support.................................................................................................................................... 257

Part 2. Use.........................................................................................................259

Chapter 14. Data model ..........................................................................................................................261Relative distinguished names ........................................................................................................... 261Distinguished name syntax................................................................................................................262

Domain component naming......................................................................................................... 262RACF-style distinguished names................................................................................................. 262

Chapter 15. LDAP directory schema....................................................................................................... 265Setting up the schema for LDBM, TDBM, and CDBM........................................................................ 265Schema introduction..........................................................................................................................266

Schema attribute syntax...............................................................................................................274LDAP schema attributes............................................................................................................... 276

Defining new schema elements.........................................................................................................285Updating the schema......................................................................................................................... 286

Changing the initial schema......................................................................................................... 287Replacing individual schema values............................................................................................ 287Updating a numeric object identifier (NOID)............................................................................... 288Analyzing schema errors.............................................................................................................. 289

Retrieving the schema .......................................................................................................................289Displaying the schema entry........................................................................................................ 290Finding the subschemaSubentry DN........................................................................................... 290

Chapter 16. Modify DN operations..........................................................................................................291Modify DN operation syntax...............................................................................................................291Considerations in the use of Modify DN operations..........................................................................295Eligibility of entries for rename..........................................................................................................296Concurrency considerations between Modify DN operations and other LDAP operations............. 297Access control and ownership...........................................................................................................297Relocating an entry............................................................................................................................ 299Relocating an entry with DN realignment requested........................................................................ 299Access control changes..................................................................................................................... 299Ownership changes............................................................................................................................302Modify DN operations related to suffix DNs...................................................................................... 302

Scenario constraints..................................................................................................................... 302Example scenarios........................................................................................................................303

Modify DN operations and replication............................................................................................... 308Initial validation of compatible server versions in consumer and replica servers..................... 309Periodic validation of compatible server versions in basic replication replicas......................... 309Loss of basic replication synchronization because of incompatible replica server versions..... 310Loss of basic replication synchronization because of incompatible replica server versions -

recovery................................................................................................................................... 310

Chapter 17. Accessing RACF information............................................................................................... 311SDBM authorization........................................................................................................................... 311Binding using a RACF user ID and password or password phrase................................................... 312

Binding with SDBM using password policy.................................................................................. 313

vii

SDBM group gathering ...................................................................................................................... 313Associating LDAP attributes to RACF fields.......................................................................................313

Associating LDAP attributes to RACF fixed fields........................................................................ 313Associating LDAP attributes to RACF custom fields....................................................................323

Special usage of racfAttributes, racfConnectAttributes, racfResourceAttributes, andracfSetroptsAttributes ................................................................................................................. 324

RACF namespace entries...................................................................................................................325SDBM schema information...........................................................................................................326SDBM support for special characters...........................................................................................326

Control of access to RACF data..........................................................................................................327SDBM operational behavior............................................................................................................... 327

SDBM search capabilities............................................................................................................. 336Retrieving RACF user password and password phrase envelopes............................................. 344Changing a user password or password phrase in RACF using SDBM........................................ 345Using LDAP client utilities with SDBM..........................................................................................346Deleting attributes........................................................................................................................349

Chapter 18. Password policy...................................................................................................................351Password policy entries..................................................................................................................... 351Activating password policy................................................................................................................ 352Password policy attributes................................................................................................................ 352Password policy evaluation............................................................................................................... 360

Evaluation of a user's individual and composite group password policy....................................361Effective password policy examples............................................................................................363

Password policy operational attributes.............................................................................................364PasswordPolicy control......................................................................................................................366Replicating password policy operational attributes..........................................................................368Password policy related extended operations.................................................................................. 369Overriding password policy and unlocking accounts........................................................................369Unlocking or unexpiring the account of the LDAP root administrator (adminDN)........................... 371Password policy examples.................................................................................................................371

Global password policy example................................................................................................. 371Group password policy example.................................................................................................. 372Individual password policy example............................................................................................373Effective password policy extended operation example.............................................................374Account status extended operation example..............................................................................374

Changing password values when pwdsafemodify is set to true....................................................... 374

Chapter 19. Kerberos authentication......................................................................................................377Setting up for Kerberos...................................................................................................................... 377Schema for Kerberos..........................................................................................................................378Identity mapping................................................................................................................................379

Default mapping........................................................................................................................... 379SDBM mapping............................................................................................................................. 380

Configuring access control.................................................................................................................380Example of setting up a Kerberos directory...................................................................................... 382Kerberos operating environments..................................................................................................... 384

Chapter 20. Native authentication.......................................................................................................... 387Initializing native authentication....................................................................................................... 387Schema for native authentication......................................................................................................387Defining participation in native authentication................................................................................. 388Binding with native authentication....................................................................................................388Updating native passwords and password phrases..........................................................................390

Updating native passwords or password phrases during bind....................................................390Password policy with native authentication......................................................................................391Example of setting up native authentication.....................................................................................391Using native authentication with web servers.................................................................................. 395

viii

Chapter 21. CRAM-MD5 and DIGEST-MD5 authentication....................................................................397DIGEST-MD5 bind mechanism restrictions in the z/OS LDAP server .............................................. 397Considerations for setting up a TDBM, LDBM, or CDBM backend for CRAM-MD5 and DIGEST-

MD5 authentication.......................................................................................................................397CRAM-MD5 and DIGEST-MD5 configuration option....................................................................398Example of setting up for CRAM-MD5 and DIGEST-MD5............................................................399

Chapter 22. Using extended operations to access Policy Director data................................................ 401GetDnForUserid extended operation.................................................................................................401GetPrivileges extended operation..................................................................................................... 401

Chapter 23. Static, dynamic, and nested groups....................................................................................403Static groups...................................................................................................................................... 403Dynamic groups..................................................................................................................................403

Dynamic group search filter examples.........................................................................................404Nested groups.................................................................................................................................... 405Determining group membership........................................................................................................405

Displaying group membership..................................................................................................... 406ACL restrictions on displaying group membership......................................................................406ACL restrictions on group gathering.............................................................................................406

Managing group search limits............................................................................................................406Creating group search limits........................................................................................................ 407Enabling group search limit processing....................................................................................... 407Using the limits from search limit groups.................................................................................... 407

Group examples................................................................................................................................. 408Examples of adding, modifying, and deleting group entries....................................................... 408Examples of querying group membership................................................................................... 410

Chapter 24. Using access control............................................................................................................417Access control attributes................................................................................................................... 417

aclEntry attribute..........................................................................................................................418aclPropagate attribute..................................................................................................................422aclSource attribute....................................................................................................................... 422entryOwner attribute.................................................................................................................... 422ownerPropagate attribute............................................................................................................ 423ownerSource attribute..................................................................................................................423

ACL filters........................................................................................................................................... 424Initializing ACLs with TDBM or LDBM................................................................................................ 425Default ACLs with LDBM or TDBM..................................................................................................... 426Initializing ACLs with GDBM...............................................................................................................426Initializing ACLs with CDBM...............................................................................................................426Initializing ACLs with schema entry...................................................................................................427Access determination........................................................................................................................ 427

Access determination examples.................................................................................................. 430Search........................................................................................................................................... 433Filter.............................................................................................................................................. 433Compare........................................................................................................................................433Requested attributes ................................................................................................................... 433

Querying effective permissions......................................................................................................... 433Propagating ACLs............................................................................................................................... 436

Example of propagation............................................................................................................... 436Examples of overrides.................................................................................................................. 437Other examples............................................................................................................................ 437

Access control groups........................................................................................................................438Associating DNs, access groups, and additional bind and directory entry access information

with a bound user .........................................................................................................................438Deleting a user or a group..................................................................................................................439

ix

Retrieving ACL information from the server...................................................................................... 440Creating and managing access controls............................................................................................440

Creating an ACL.............................................................................................................................440Modifying an ACL.......................................................................................................................... 442Deleting an ACL.............................................................................................................................444Creating an owner for an entry.....................................................................................................444Modifying an owner for an entry...................................................................................................445Deleting an owner for an entry.....................................................................................................447Creating a group for use in ACLs and entry owner settings.........................................................447

Chapter 25. Basic replication.................................................................................................................. 449Basic replication in a sysplex.............................................................................................................449ibm-entryuuid replication.................................................................................................................. 450Complex modify DN replication......................................................................................................... 450Basic replication and ldif2ds............................................................................................................. 450Data encryption or hashing and basic replication.............................................................................450Replicating server.............................................................................................................................. 451

Replica entries.............................................................................................................................. 451Adding replica entries in TDBM or LDBM...........................................................................................454

Searching a replica entry..............................................................................................................455Displaying basic replication status...............................................................................................455

Basic replication maintenance mode................................................................................................ 455Replica server.....................................................................................................................................456

Populating a replica...................................................................................................................... 456Configuring the replica................................................................................................................. 456LDAP update operations on read-only replicas........................................................................... 457

Changing a read-only replica to a master..........................................................................................458Basic peer to peer replication ...........................................................................................................458

Server configuration..................................................................................................................... 459Basic replication conflict resolution.............................................................................................459

Adding a peer replica to an existing server....................................................................................... 459Upgrading a read-only replica to be a peer replica of the master server......................................... 459Downgrading a peer server to read-only replica...............................................................................460SSL/TLS and basic replication........................................................................................................... 460

Replica server with SSL/TLS enablement....................................................................................460Replicating server with SSL/TLS enablement..............................................................................460

Basic replication error log..................................................................................................................461Troubleshooting basic replication..................................................................................................... 462

Recovering from basic replication out-of-sync conditions .........................................................463

Chapter 26. Advanced replication...........................................................................................................465Advanced replication terminology.....................................................................................................465Replication topology.......................................................................................................................... 467Advanced replication overview..........................................................................................................468

Master-replica replication............................................................................................................ 468Forwarding (cascading) replication .............................................................................................469Peer-to-peer replication...............................................................................................................469Gateway replication......................................................................................................................470

Advanced replication features...........................................................................................................471Partial replication......................................................................................................................... 471Replication scheduling................................................................................................................. 471Replication conflict resolution..................................................................................................... 471

Enabling advanced replication...........................................................................................................472Supplier server entries.......................................................................................................................473

Replication contexts..................................................................................................................... 473Replica groups.............................................................................................................................. 474Replica subentries........................................................................................................................ 474Replication agreements................................................................................................................475

x

Credentials entries....................................................................................................................... 478Schedule entries...........................................................................................................................480

Consumer server entries....................................................................................................................484Things to consider before configuring advanced replication............................................................488Advanced replication configuration examples.................................................................................. 489

Suppliers and consumers.............................................................................................................489Server ID....................................................................................................................................... 490Advanced replication related entries summary...........................................................................490Creating a master-replica topology..............................................................................................492Creating a peer-to-peer replication topology.............................................................................. 495Creating a master-forwarder-replica (cascading) topology........................................................ 499Creating a gateway topology........................................................................................................ 504

Replication topology hints and tips................................................................................................... 509Replication of schema and password policy updates.......................................................................510Protecting replication topology entries............................................................................................. 510Unconfiguring advanced replication.................................................................................................. 510Advanced replication maintenance mode.........................................................................................511Partial replication............................................................................................................................... 512

Replication filter examples...........................................................................................................513SSL/TLS and advanced replication.................................................................................................... 514

Replica server with SSL/TLS enablement ................................................................................... 514Replicating server with SSL/TLS enablement..............................................................................514

Displaying advanced replication configuration................................................................................. 515Command line tasks for managing replication..................................................................................516

Advanced replication related extended operations.................................................................... 516Viewing replication configuration information.............................................................................517

Monitoring and diagnosing advanced replication problems.............................................................518Recovering from advanced replication errors..............................................................................521Advanced replication error recovery example.............................................................................524

Chapter 27. Alias..................................................................................................................................... 529Impact of aliasing on search performance........................................................................................529Alias entry ..........................................................................................................................................529

Alias entry rules............................................................................................................................ 530Dereferencing an alias....................................................................................................................... 530

Dereferencing during search........................................................................................................ 531Alias examples................................................................................................................................... 532

Chapter 28. Change logging.................................................................................................................... 537Configuring the GDBM backend.........................................................................................................537

Configuring a Db2-based GDBM backend....................................................................................538Configuring a file-based GDBM backend..................................................................................... 538

Additional required configuration......................................................................................................538When changes are logged.................................................................................................................. 539

RACF changes............................................................................................................................... 539TDBM, LDBM, CDBM, and schema changes.................................................................................539

Change log schema............................................................................................................................ 539Change log entries..............................................................................................................................540Searching the change log...................................................................................................................541Passwords in change log entries....................................................................................................... 542Unloading and loading the change log.............................................................................................. 542Trimming the change log....................................................................................................................542Change log information in the root DSE entry................................................................................... 542Multi-server considerations...............................................................................................................542How to set up and use the LDAP server for logging changes............................................................543

Chapter 29. Referrals.............................................................................................................................. 547Using the referral object class and the ref attribute......................................................................... 547

xi

Creating referral entries............................................................................................................... 547Associating servers with referrals .................................................................................................... 548

Pointing to other servers.............................................................................................................. 548Defining the default referral......................................................................................................... 549

Processing referrals........................................................................................................................... 549Using LDAP Version 2 referrals.....................................................................................................550Using LDAP Version 3 referrals.....................................................................................................550Bind considerations for referrals..................................................................................................551

Example: Associating servers through referrals and basic replication............................................ 551

Chapter 30. Client considerations...........................................................................................................557Root DSE.............................................................................................................................................557

Root DSE search with base scope................................................................................................557Root DSE search with subtree scope (Null-based subtree search)............................................ 562

Monitor support..................................................................................................................................563UTF-8 data over the LDAP Version 2 protocol...................................................................................563Attribute types stored and returned in lowercase............................................................................ 563Abandon behavior.............................................................................................................................. 563

Chapter 31. Performance tuning.............................................................................................................565Overview.............................................................................................................................................565General LDAP server performance considerations........................................................................... 565

Threads......................................................................................................................................... 565Debug settings.............................................................................................................................. 565Storage in the LDAP address space............................................................................................. 565LDAP server cache tuning.............................................................................................................565Operations monitor.......................................................................................................................566Workload manager (WLM)............................................................................................................ 567

Password policy considerations........................................................................................................ 570LDBM performance considerations................................................................................................... 570

Storage in the LDAP address space for LDBM data..................................................................... 571LDAP server initialization time with LDBM...................................................................................571Database commit processing.......................................................................................................571DASD space for LDBM data.......................................................................................................... 572Sample LDBM benchmark data....................................................................................................572

CDBM performance considerations...................................................................................................573TDBM performance considerations................................................................................................... 573

Db2 tuning.....................................................................................................................................573TDBM database tuning................................................................................................................. 575

Monitoring performance with cn=monitor........................................................................................ 576Monitor search examples............................................................................................................. 583

User groups considerations in large directories................................................................................585Large static groups considerations.............................................................................................. 586Dynamic groups memberURL filter indexing considerations...................................................... 587Warning regarding Db2 logging of large static group updates.................................................... 589LE heap pools considerations...................................................................................................... 589Tuning LE heap and heap pools....................................................................................................590

Paged search considerations.............................................................................................................590Sorted search considerations............................................................................................................ 591GDBM (Changelog) performance considerations..............................................................................592SDBM performance considerations...................................................................................................593

Appendix A. Initial LDAP server schema.............................................................595

Appendix B. SPUFI files..................................................................................... 623The DSTDBMDB SPUFI file...................................................................................................................... 623The TDBMMGRT SPUFI file .....................................................................................................................633

xii

Appendix C. Supported server controls.............................................................. 643authenticateOnly..................................................................................................................................... 643Do Not Replicate...................................................................................................................................... 643IBMLdapProxyControl............................................................................................................................. 643IBMModifyDNRealignDNAttributesControl.............................................................................................644IBMModifyDNTimelimitControl...............................................................................................................645IBMSchemaReplaceByValueControl.......................................................................................................645manageDsaIT...........................................................................................................................................646No Replication Conflict Resolution..........................................................................................................646pagedResults........................................................................................................................................... 647PasswordPolicy........................................................................................................................................648PersistentSearch......................................................................................................................................648Refresh Entry........................................................................................................................................... 651replicateOperationalAttributes............................................................................................................... 651Replication bind failure time stamp control............................................................................................652Replication Supplier ID Bind................................................................................................................... 653Server Administration..............................................................................................................................653SortKeyRequest....................................................................................................................................... 654SortKeyResponse.....................................................................................................................................655

Appendix D. Supported extended operations...................................................... 657Account status......................................................................................................................................... 657Cascading control replication..................................................................................................................658changeLogAddEntry................................................................................................................................ 660Control replication................................................................................................................................... 662Control replication error log.................................................................................................................... 663Control replication queue........................................................................................................................665Effective password policy........................................................................................................................666GetDnForUserid....................................................................................................................................... 667GetEffectiveACL....................................................................................................................................... 668GetPrivileges............................................................................................................................................671Quiesce or unquiesce context................................................................................................................. 672Remote auditing.......................................................................................................................................673Remote authorization.............................................................................................................................. 673RemoteCryptoCCA...................................................................................................................................674RemoteCryptoPKCS#11..........................................................................................................................674Replication topology................................................................................................................................674Start TLS...................................................................................................................................................676unloadRequest.........................................................................................................................................677User type..................................................................................................................................................678

Appendix E. SMF records................................................................................... 681SMF Record Type 83, subtype 3 records................................................................................................ 681RACF SMF unload utility output.............................................................................................................. 685

Appendix F. Activity log records......................................................................... 695Activity log start and end field descriptions............................................................................................695

Activity log mergedRecord field descriptions....................................................................................698

Appendix G. Guidelines for interoperability between non-z/OS TDS and z/OSTDS............................................................................................................... 703Schema considerations........................................................................................................................... 703Import or export of directory entries...................................................................................................... 705Functional considerations....................................................................................................................... 705Administrative group and roles considerations...................................................................................... 706

xiii

Appendix H. Searching operational attributes.....................................................707

Appendix I. Accessibility................................................................................... 715Accessibility features.............................................................................................................................. 715Consult assistive technologies................................................................................................................ 715Keyboard navigation of the user interface.............................................................................................. 715Dotted decimal syntax diagrams.............................................................................................................715

Notices..............................................................................................................719Terms and conditions for product documentation................................................................................. 720IBM Online Privacy Statement................................................................................................................ 721Policy for unsupported hardware............................................................................................................721Minimum supported hardware................................................................................................................722Trademarks.............................................................................................................................................. 722

......................................................................................................................... 723

Index................................................................................................................ 731

xiv

Figures

1. Directory hierarchy example......................................................................................................................... 5

2. Sample DSNAOINI file ............................................................................................................................... 21

3. Overview of the LDAP configuration utility ................................................................................................ 26

4. Sample portion of ds.profile........................................................................................................................29

5. LDAP configuration utility roles and responsibilities .................................................................................33

6. General format of ds.conf........................................................................................................................... 82

7. GDG JCL example......................................................................................................................................189

8. Sample schema entry............................................................................................................................... 266

9. Before Modify DN operation..................................................................................................................... 292

10. After Modify DN operation...................................................................................................................... 293

11. Before Modify DN operation................................................................................................................... 293

12. After Modify DN operation...................................................................................................................... 294

13. Before Modify DN operation................................................................................................................... 294

14. After Modify DN operation...................................................................................................................... 295

15. Before Modify DN operation................................................................................................................... 300

16. After Modify DN operation...................................................................................................................... 301

17. Suffix rename with no new superior.......................................................................................................303

18. Suffix rename with new superior............................................................................................................304

19. Overlapping suffix rename A.................................................................................................................. 305

20. Overlapping suffix rename B.................................................................................................................. 306

21. Suffix rename to non-suffix entry...........................................................................................................307

22. Rename non-suffix entry to suffix entry.................................................................................................308

23. RACF namespace hierarchy (Part 1 of 2)............................................................................................... 325

xv

24. RACF namespace hierarchy (Part 2 of 2)............................................................................................... 326

25. Kerberos directory example................................................................................................................... 383

26. Native authentication example.............................................................................................................. 392

27. CRAM-MD5 and DIGEST-MD5 authentication example........................................................................ 399

28. Group hierarchy and membership for the examples............................................................................. 410

29. Example of adding propagating ACL to existing entry in directory........................................................441

30. Example of adding propagating ACL to existing entry in the directory................................................. 441

31. Example of setting up a non-propagating ACL ......................................................................................442

32. Example of adding an aclEntry attribute value...................................................................................... 443

33. Example of modifying aclPropagate attribute........................................................................................443

34. Example of removing a single aclEntry attribute value......................................................................... 443

35. Example of deleting an ACL from an entry.............................................................................................444

36. Example of adding a propagating set of entry owners to existing entry in the directory..................... 445

37. Example of setting up a non-propagating entry owner......................................................................... 445

38. Example of adding an entryOwner attribute value................................................................................ 446

39. Example of modifying the ownerPropagate attribute............................................................................446

40. Example of removing a single entryOwner Attribute value................................................................... 447

41. Example of deleting an entry owner set from an entry..........................................................................447

42. Example of adding a group to access control information.................................................................... 448

43. Example of adding a group to entry owner information........................................................................ 448

44. Master-replica replication ......................................................................................................................469

45. Cascading replication .............................................................................................................................469

46. Peer-to-peer replication ........................................................................................................................ 470

47. Gateway replication................................................................................................................................ 471

48. Master-replica topology..........................................................................................................................492

xvi

49. Peer-to-peer topology.............................