Plugging the HCD LDAP backend into the IBM Tivoli Directory Server for z/OS

The HCD LDAP backend performs its services on behalf of user IDs and uses only the RACF access rights of these user IDs to determine the legitimacy of a request. This assumes that the plug-in runs under a user ID which is entitled to switch to the user ID of the respective bind request. Since the plug-in takes as its user ID that of the IBM Tivoli Directory Server for z/OS, the HCD LDAP backend can only be plugged into the IBM Tivoli Directory Server for z/OS, if the latter runs as a started task under a user ID which is permitted to switch to another user ID. The HCD LDAP backend uses the pthread_security_np() service for performing this switch (thread-level security model). For more details on this switch, see the section "Preparing security for servers" of the z/OS UNIX System Services Planningz/OS UNIX System Services Planning book.

The further setup depends on which security level you choose for the IBM Tivoli Directory Server for z/OS. There are two options:

• UNIX level security
• z/OS UNIX level security

With UNIX level security, the IBM Tivoli Directory Server for z/OS must run under the superuser. The superuser has on this security level total authority over the system; in particular, he is automatically entitled to assume the identity of any other user. With z/OS UNIX level security on the other hand, the right to switch user IDs must be explicitly granted, even to the superuser.

z/OS UNIX level security is more secure than UNIX level security, and we recommend that you choose this option. However, you must be aware that this is a global decision which may have consequences for every server on your system. For this reason, the steps required for both options are described below in detail. Warnings are issued whenever a step has repercussions for your system configuration.

For both options you must issue a number of RACF commands. In the example commands shown in the following descriptions, typical assumptions about the system configuration have been made. As these do not necessarily conform with your particular system configuration, you may need to modify the commands as required.

If you have already been using the IBM Tivoli Directory Server for z/OS and are adding the HCD LDAP backend, check whether your setup conforms to the requirements of the HCD LDAP backend. If it does not (for instance, you are not running the IBM Tivoli Directory Server for z/OS as a started task), then you must change your setup.