Table of Contents (exploded view)
Abstract for IBM Tivoli Directory Server Administration and Use for z/OS
Summary of changes
z/OS Version 2 Release 1 summary of changes
Administration
Introducing the LDAP server
What is a directory service?
What is LDAP?
How is information stored in the directory?
How is the information arranged?
How is the information referenced?
How is the information accessed?
How is the information protected from unauthorized access?
How does LDAP work?
What about X.500?
What are the capabilities of the z/OS LDAP server?
Participation in multilevel security
RFCs supported by z/OS LDAP
Draft RFCs
Superseded RFCs
Planning and roadmap
Planning directory content
LDAP server roadmap
Installing and setting up related products
Required products
Installing and setting up WLM (Workload Management)
Installing a z/OS UNIX System Services file system for the schema backend
Optional Products
Installing and setting up DB2 for TDBM and GDBM (DB2-based)
Getting DB2 installed and set up for CLI and ODBC
Choosing the MVSATTACHTYPE
Setting AUTOCOMMIT
Installing RACF for SDBM and native authentication
Installing a z/OS UNIX System Services file system for LDBM, GDBM (file-based), and CDBM backends
Installing System SSL
Installing ICSF for encryption, hashing, or SSL/TLS
Installing Kerberos
Configuring an LDAP server using the dsconfig utility
Overview of the LDAP configuration utility
Capabilities
Restrictions
Running the dsconfig utility
dsconfig utility
Purpose
Format
Parameters
Examples
Input file description
Usage notes
Configuration roles and responsibilities
Steps for configuring an LDAP server
Configuration confirmation
Specifying advanced configuration options with the dsconfig utility
Setting the time zone
Configuring an LDAP server without the dsconfig utility
LDAP server configuration roadmap
Preparing for configuration variable interactions
Setting the time zone
Setting up the user ID and security for the LDAP server
Setting up a user ID for your LDAP server
Requirements for a user ID that runs the LDAP server
Additional setup for user ID that runs the LDAP server
Additional setup when using SDBM
Additional setup for RACF PROXY segment and SDBM
Additional setup for sysplex
Defining the Kerberos identity
Additional setup for generating audit records
Additional setup for using securityLabel option
Additional setup when defining administrative roles in RACF
Additional setup for using SHA-2 or Salted SHA-2 hashing
Protecting the environment for the LDAP server
Preparing WLM, backends, sysplex, SSL/TLS, and encryption or hashing
Setting up for WLM (workload management)
Copying the configuration files
Creating a sample server with an LDBM backend
Creating the DB2 database and table spaces for TDBM or GDBM
Partitioning DB2 tables for TDBM
Partitioning example
Setting up for TDBM
Copying a TDBM database
Setting up for SDBM
Setting up for LDBM
Copying an LDBM backend
Setting up for CDBM
Setting up for GDBM
Configuring file-based GDBM
Configuring DB2-based GDBM
Setting up for Policy Director extended operations
Setting up for sysplex
Setting up for SSL/TLS
Using SSL/TLS protected communications
Creating and using key databases, key rings, or PKCS #11 tokens
Obtaining a certificate
Enabling SSL/TLS support
Setting up the security options for the LDAP server
Setting up an LDAP client
Using LDAP client APIs to access LDAP using SSL/TLS
Support of certificate bind
Configuring for encryption or hashing
One-way hashing formats
Two-way encryption formats
Symmetric encryption keys
Configuring for user and administrator password encryption or hashing
Configuring for secret encryption
Configuring for securityLabel option
Customizing the LDAP server configuration
Creating the ds.conf file
Locating ds.conf
Configuration file format
Specifying a value for filename
Specifying a value for a distinguished name
Configuration file checklist
Configuration file options
Deprecated options
Ignored options
CDBM backend configuration and policy entries
cn=configuration
cn=Replication,cn=configuration
cn=Log Management,cn=Configuration
cn=Replication,cn=Log Management,cn=Configuration
cn=admingroup,cn=configuration
cn=safadmingroup,cn=configuration
cn=ibmpolicies
cn=pwdpolicy,cn=ibmpolicies
Configuration considerations
Determining operational mode
Operating in single-server mode
Restrictions
Operating in multiple single-server mode
Restrictions
Setting up multiple LDAP servers with DB2-based backends
Operating in multi-server mode
Dependencies
Restrictions
Operating in PC callable support mode
Establishing the root administrator DN and basic replication replica server DN and passwords
Example configuration scenarios
Configuring a TDBM backend with SSL/TLS and password encryption or hashing
Configuring SDBM and GDBM (DB2-based) backends
Configuring SDBM and TDBM backends
Configuring LDBM with native authentication and GDBM (file-based) backends
Configuring LDBM and CDBM backends with advanced replication and password policy
Configuring an EXOP backend
Administrative group and roles
Administrative roles
Enabling the administrative group and roles
Defining administrative group and roles
Administrative roles defined in LDAP
Administrative roles defined in RACF
Administrative group member examples
Administrative roles and extended operations
Administrative group and roles-related extended operation
User type extended operation examples
Running the LDAP server
Setting up the PDSE for the LDAP server DLLs
Setting up and running the LDAP server
Defining the started task for the LDAP server
Running the LDAP server using the sample JCL
LDAP server messages and debug output
Running the LDAP server using data sets
Verifying the LDAP server
Finalizing setup of LDAP backends
Environment variables used by the LDAP server
Dynamic debugging
CTRACE in-memory trace records
Viewing LDAP server CTRACE output
Displaying performance information and server settings
Size limitations
Activity logging
Configuring the activity log support
LDAP SMF auditing
Auditing events
Working with audit records
Monitoring LDAP server resources
Server backends and plug-ins during startup
DB2
Network communications
Client connections
File system
LDAP server abnormal termination
LDAP server operator commands
Migrating to z/OS
Actions required for migrations from previous releases of z/OS
Fallback from a TDBM or DB2-based GDBM backend in z/OS IBM TDS to an earlier z/OS IBM TDS version
LDAP_COMPAT_FLAGS environment variable
Updating LDAP configurations settings in a sysplex without server outage
Checking file ownership for the LDAP server
Migration roadmap
z/OS Version 2 Release 2 update summary
z/OS Version 2 Release 2 overview
Compatibility level upgrade without an LDAP outage
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
Activity logging
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
Dynamic group performance and scalability
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
Replication of password policy attributes
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
z/OS Version 2 Release 1 update summary
z/OS Version 2 Release 1 overview
Remote crypto plug-in
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
ICTX plug-in
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
TLS (Transport Layer Security) V1.2 support
Description
What this change affects
Dependencies
Coexistence considerations
Migration tasks
For more information
Running and using the LDAP server utilities
Running the LDAP server utilities in the z/OS shell
Running the LDAP server utilities from JCL
Running the LDAP server utilities in TSO
SSL/TLS information for LDAP utilities
Using RACF key rings
Using PKCS #11 tokens
Using a Java keystore or RACF key ring for ldapdiff
Utility programs
db2pwden utility
ds2ldif utility
ldif2ds utility
ldapdiff utility
ldapexop utility
Globalization support
Translated messages
UTF-8 support
Use
Data model
Relative distinguished names
Distinguished name syntax
Domain component naming
RACF-style distinguished names
LDAP directory schema
Setting up the schema for LDBM, TDBM, and CDBM
Schema introduction
Schema attribute syntax
LDAP schema attributes
LDAP syntaxes
Matching rules
Attribute types
IBM attribute types
Object classes
Defining new schema elements
Updating the schema
Changing the initial schema
Replacing individual schema values
Updating a numeric object identifier (NOID)
Analyzing schema errors
Retrieving the schema
Displaying the schema entry
Finding the subschemaSubentry DN
Modify DN operations
Modify DN operation syntax
Considerations in the use of Modify DN operations
Eligibility of entries for rename
Concurrency considerations between Modify DN operations and other LDAP operations
Access control and ownership
Relocating an entry
Relocating an entry with DN realignment requested
Access control changes
Ownership changes
Modify DN operations related to suffix DNs
Scenario constraints
Example scenarios
Modify DN operations and replication
Initial validation of compatible server versions in consumer and replica servers
Periodic validation of compatible server versions in basic replication replicas
Loss of basic replication synchronization because of incompatible replica server versions
Loss of basic replication synchronization because of incompatible replica server versions - recovery
Accessing RACF information
SDBM authorization
Binding using a RACF user ID and password or password phrase
Binding with SDBM using password policy
SDBM group gathering
Associating LDAP attributes to RACF fields
Associating LDAP attributes to RACF fixed fields
Associating LDAP attributes to RACF custom fields
Special usage of racfAttributes, racfConnectAttributes, racfResourceAttributes, and racfSetroptsAttributes
RACF namespace entries
SDBM schema information
SDBM support for special characters
Control of access to RACF data
SDBM operational behavior
SDBM search capabilities
Searching the entire RACF database
RACF restriction on amount of output
RACF restriction on amount of input
LDAP restriction on RACF data
Retrieving RACF user password and password phrase envelopes
Changing a user password or password phrase in RACF using SDBM
Using LDAP client utilities with SDBM
Example: adding a user to RACF
Example: modifying a user in RACF
Example: searching for user information in RACF
Example: searching for a user's password and password phrase envelopes in RACF
Example: adding a group to RACF
Example: connecting a user to a group in RACF
Example: searching for information about a user's connection to a group in RACF
Example: removing a user from a group in RACF
Example: removing a user from RACF
Example: adding a resource profile in the facility class and giving a user and a group access to the profile
Example: refreshing the raclist for the facility class
Deleting attributes
Password policy
Password policy entries
Activating password policy
Password policy attributes
Password policy evaluation
Evaluation of a user's individual and composite group password policy
Effective password policy examples
Password policy operational attributes
PasswordPolicy control
Replicating password policy operational attributes
Password policy related extended operations
Overriding password policy and unlocking accounts
Unlocking or unexpiring the account of the LDAP root administrator (adminDN)
Password policy examples
Global password policy example
Group password policy example
Individual password policy example
Effective password policy extended operation example
Account status extended operation example
Changing password values when pwdsafemodify is set to true
Kerberos authentication
Setting up for Kerberos
Schema for Kerberos
Identity mapping
Default mapping
TDBM, LDBM, and CDBM mapping
SDBM mapping
Configuring access control
Example of setting up a Kerberos directory
Kerberos operating environments
Native authentication
Initializing native authentication
Schema for native authentication
Defining participation in native authentication
Binding with native authentication
Updating native passwords and password phrases
Updating native passwords or password phrases during bind
Password policy with native authentication
Example of setting up native authentication
Using native authentication with web servers
CRAM-MD5 and DIGEST-MD5 authentication
DIGEST-MD5 bind mechanism restrictions in the z/OS LDAP server
Considerations for setting up a TDBM, LDBM, or CDBM backend for CRAM-MD5 and DIGEST-MD5 authentication
CRAM-MD5 and DIGEST-MD5 configuration option
Example of setting up for CRAM-MD5 and DIGEST-MD5
Using extended operations to access Policy Director data
GetDnForUserid extended operation
GetPrivileges extended operation
Static, dynamic, and nested groups
Static groups
Dynamic groups
Dynamic group search filter examples
Nested groups
Determining group membership
Displaying group membership
ACL restrictions on displaying group membership
ACL restrictions on group gathering
Managing group search limits
Creating group search limits
Enabling group search limit processing
Using the limits from search limit groups
Group examples
Examples of adding, modifying, and deleting group entries
Examples of querying group membership
Using access control
Access control attributes
aclEntry attribute
Syntax
Scope of protection
Attribute access classes
Access permissions
aclPropagate attribute
aclSource attribute
entryOwner attribute
Syntax
Scope of protection
ownerPropagate attribute
ownerSource attribute
ACL filters
Initializing ACLs with TDBM or LDBM
Default ACLs with LDBM or TDBM
Initializing ACLs with GDBM
Initializing ACLs with CDBM
Initializing ACLs with schema entry
Access determination
Access determination examples
Search
Filter
Compare
Requested attributes
Querying effective permissions
Propagating ACLs
Example of propagation
Examples of overrides
Other examples
Access control groups
Associating DNs, access groups, and additional bind and directory entry access information with a bound user
Deleting a user or a group
Retrieving ACL information from the server
Creating and managing access controls
Creating an ACL
Modifying an ACL
Deleting an ACL
Creating an owner for an entry
Modifying an owner for an entry
Deleting an owner for an entry
Creating a group for use in ACLs and entry owner settings
Basic replication
Basic replication in a sysplex
ibm-entryuuid replication
Complex modify DN replication
Basic replication and ldif2ds
Data encryption or hashing and basic replication
Replicating server
Replica entries
Adding replica entries in TDBM or LDBM
Searching a replica entry
Displaying basic replication status
Basic replication maintenance mode
Replica server
Populating a replica
Configuring the replica
LDAP update operations on read-only replicas
Changing a read-only replica to a master
Basic peer to peer replication
Server configuration
Basic replication conflict resolution
Adding a peer replica to an existing server
Upgrading a read-only replica to be a peer replica of the master server
Downgrading a peer server to read-only replica
SSL/TLS and basic replication
Replica server with SSL/TLS enablement
Replicating server with SSL/TLS enablement
Basic replication error log
Troubleshooting basic replication
Recovering from basic replication out-of-sync conditions
Advanced replication
Advanced replication terminology
Replication topology
Advanced replication overview
Master-replica replication
Forwarding (cascading) replication
Peer-to-peer replication
Gateway replication
Advanced replication features
Partial replication
Replication scheduling
Replication conflict resolution
Enabling advanced replication
Supplier server entries
Replication contexts
Replica groups
Replica subentries
Replication agreements
Credentials entries
Schedule entries
Consumer server entries
Things to consider before configuring advanced replication
Advanced replication configuration examples
Suppliers and consumers
Server ID
Advanced replication related entries summary
Supplier server entries
Consumer server entries
Creating a master-replica topology
Creating a peer-to-peer replication topology
Creating a master-forwarder-replica (cascading) topology
Creating a gateway topology
Replication topology hints and tips
Replication of schema and password policy updates
Protecting replication topology entries
Unconfiguring advanced replication
Advanced replication maintenance mode
Partial replication
Replication filter examples
SSL/TLS and advanced replication
Replica server with SSL/TLS enablement
Replicating server with SSL/TLS enablement
Displaying advanced replication configuration
Command line tasks for managing replication
Advanced replication related extended operations
Viewing replication configuration information
Monitoring and diagnosing advanced replication problems
Recovering from advanced replication errors
Advanced replication error recovery example
Alias
Impact of aliasing on search performance
Alias entry
Alias entry rules
Dereferencing an alias
Dereferencing during search
Dereference options
Dereferencing during finding the search base
Dereferencing during searching in subtree searches
Dereferencing during searching in one-level searches
Dereferencing and root DSE subtree search
Errors during dereferencing
Alias examples
Change logging
Configuring the GDBM backend
Configuring a DB2-based GDBM backend
Configuring a file-based GDBM backend
Additional required configuration
When changes are logged
RACF changes
TDBM, LDBM, CDBM, and schema changes
Change log schema
Change log entries
Searching the change log
Passwords in change log entries
Unloading and loading the change log
Trimming the change log
Change log information in the root DSE entry
Multi-server considerations
How to set up and use the LDAP server for logging changes
Referrals
Using the referral object class and the ref attribute
Creating referral entries
Associating servers with referrals
Pointing to other servers
Defining the default referral
Processing referrals
Using LDAP Version 2 referrals
Limitations with LDAP Version 2 referrals
Using LDAP Version 3 referrals
Bind considerations for referrals
Example: associating servers through referrals and basic replication
Client considerations
Root DSE
Root DSE search with base scope
Root DSE search with subtree scope (Null-based subtree search)
Monitor support
UTF-8 data over the LDAP Version 2 protocol
Attribute types stored and returned in lowercase
Abandon behavior
Performance tuning
Overview
General LDAP server performance considerations
Threads
Debug settings
Storage in the LDAP address space
LDAP server cache tuning
Operations monitor
Workload manager (WLM)
Configuring LDAP with WLM examples
Verifying the service class for the LDAP server
Password policy considerations
LDBM performance considerations
Storage in the LDAP address space for LDBM data
LDAP server initialization time with LDBM
Database commit processing
DASD space for LDBM data
Sample LDBM benchmark data
CDBM performance considerations
TDBM performance considerations
DB2 tuning
TDBM database tuning
Monitoring performance with cn=monitor
Monitor search examples
User groups considerations in large directories
Large static groups considerations
Dynamic groups memberURL filter indexing considerations
Warning regarding DB2 logging of large static group updates
LE heap pools considerations
Tuning LE heap and heap pools
Paged search considerations
Sorted search considerations
GDBM (Changelog) performance considerations
SDBM performance considerations
Initial LDAP server schema
SPUFI files
The DSTDBMDB SPUFI file
The TDBMMGRT SPUFI file
Supported server controls
authenticateOnly
Do Not Replicate
IBMLdapProxyControl
IBMModifyDNRealignDNAttributesControl
IBMModifyDNTimelimitControl
IBMSchemaReplaceByValueControl
manageDsaIT
No Replication Conflict Resolution
pagedResults
PasswordPolicy
PersistentSearch
Refresh Entry
replicateOperationalAttributes
Replication bind failure time stamp control
Replication Supplier ID Bind
Server Administration
SortKeyRequest
SortKeyResponse
Supported extended operations
Account status
Cascading control replication
changeLogAddEntry
Control replication
Control replication error log
Control replication queue
Effective password policy
GetDnForUserid
GetEffectiveACL
GetPrivileges
Quiesce or unquiesce context
Remote auditing
Remote authorization
RemoteCryptoCCA
RemoteCryptoPKCS#11
Replication topology
Start TLS
unloadRequest
User type
SMF records
SMF Record Type 83, subtype 3 records
RACF SMF unload utility output
Activity log records
Activity log start and end field descriptions
Activity log mergedRecord field descriptions
Guidelines for interoperability between non-z/OS TDS and z/OS TDS
Schema considerations
Import or export of directory entries
Functional considerations
Administrative group and roles considerations
Searching operational attributes