SDBM search capabilities
SDBM supports a limited set of search filters. The following table describes each supported filter and indicates from what bases it is valid, what type of entries it returns (a complete entry or entries that contain the DN of the entry), and what RACF® commands are issued to perform the search. Most searches can only be performed from one of these top entries: the suffix entry, the profiletype=user,suffix entry, the profiletype=group,suffix entry, the profiletype=connect,suffix entry, and the profiletype=class,suffix entries.
Filter | Search behavior |
---|---|
krbprincipalname=any_value |
|
objectclass=* |
|
profilename=any_value |
|
racfgroupid=any_value |
|
racfid=any_value |
|
racflnotesshortname=any_value |
|
racfndsusername=any_value |
|
racfomvsgroupid=number |
|
racfomvsgroupid;allOMVSids= |
|
racfomvsuid=number |
|
racfomvsuid; |
|
racfuserid=any_value |
|
(&(racfuserid=any_value1) |
|
Except for the AND filter for connections, complex search filters that include NOT, AND, OR, LE, or GE constructs are not supported.
(&(racfuserid=usr*)(racfgroupid=*grp))
searches
for all the connections between users whose names begin with usr and
groups whose names end with grp.ldap_search: Protocol error
ldap_search: additional info: R010043 Substring filter for attribute 'profilename' has no value
Although an '*' or '**' can be part of a resource profile name, there is no way to indicate in the profilename filter that an asterisk or double asterisk is part of the name rather than a wildcard. For example, a search using a filter such as profilename=ABC* returns all profile names beginning with ABC, including the ABC* profile (if it exists).
- If the racfuserid part of the connection search filter does not contain a wildcard, then the connection entry is returned for the specified racfuserid.
- If the racfuserid part of the connection search filter contains a wildcard, then the connection entry for a user is returned only if the user is explicitly contained in the list of members of the universal group.
Searching the entire RACF database
Most searches that query the entire RACF database, for example, a subtree search from any of the top directory entries except the setopts entry, return only the DN (distinguished name) attribute. You may then obtain more specific data about a particular user, group, connection, or resource on a follow-up search using a specific DN as the search base.
krbprincipalname=<any_name>
racflnotesshortname=<any_value>
racfndsusername=<any_value>
racfomvsgroupid=<number>
racfomvsuid=<number>
Because these searches
can match only a single RACF user,
the entire user entry is returned in the search results.RACF restriction on amount of output
When processing certain LDAP search requests, SDBM uses the RACF R_admin "run command" interface to issue RACF search commands. The R_admin "run command" interface limits the number of records in its output to 4096. This means that the RACF search command output might be incomplete if you have many users, groups, connections, or resources. See z/OS Security Server RACF Callable Services on the RACF restriction. The restriction only affects those SDBM searches that issue the RACF search command. See Table 1 to determine which SDBM searches are affected.
RACF restriction on amount of input
RACF limits the number of operands that are specified in RACF commands. If the number of operands surpasses this limit, RACF ignores some of the operands and processes the command. Therefore, an SDBM add or modify operation containing many attributes appears to run successfully but some of the attributes might not be set. For more information, see z/OS Security Server RACF Command Language Reference.
LDAP restriction on RACF data
Except for the RACF user password or password phrase envelopes, all field values sent by RACF to LDAP must consist of printable characters. If a RACF field contains unprintable characters, the value returned in the LDAP output does not match the RACF value and is not printable. If a RACF field contains binary zeros, the LDAP output might be truncated. In particular, make sure that the installation DATA field in RACF user and resource profiles does not contain binary zeros or other unprintable characters.