How to provide LDAP support for HCD

Before reading this section we strongly recommend that you have copies of the following documents available:

• z/OS IBM Tivoli Directory Server Administration and Use for z/OSz/OS IBM Tivoli Directory Server Administration and Use for z/OS
• z/OS IBM Tivoli Directory Server Client Programming for z/OSz/OS IBM Tivoli Directory Server Client Programming for z/OS
• z/OS UNIX System Services Planningz/OS UNIX System Services Planning

Together with the IBM Tivoli Directory Server for z/OS and the RACF backend SDBM, the HCD LDAP backend can be used to access and update IODF data via the standardized Lightweight Directory Access Protocol (LDAP) based on TCP/IP.

The HCD LDAP backend is optional. The HCD functionality is not limited if the HCD LDAP backend is not used. If you do not want to use the HCD LDAP backend, then you do not need to read this information and you do not need to take any further actions.

All operations on IODFs are performed on behalf of user IDs which have to be explicitly permitted for the HCD LDAP backend. This does not affect your system security because the HCD LDAP backend only supports LDAP clients who are bound to the SDBM backend using a user ID and the appropriate password.

The HCD LDAP backend supports a subset of LDAP search requests and a subset of LDAP add, delete, and modify requests.

The HCD LDAP backend is able to perform sequences of update requests as transactions. The LDAP client has to support LDAP V3 controls in order to use this transaction feature.

Updates to an IODF are performed via HCD. Thus, it is ensured that the HCD validation rules are applied.

Only existing IODFs can be used with the HCD LDAP backend. The HCD LDAP backend cannot be used to create or delete IODFs. It cannot be used, for example, to build a production IODF or perform dynamic activation.