Configuring the z/OS LDAP server

When Db2 receives an authenticated user registry name, it invokes the SAF user mapping plug-in service. This service uses the EIM domain, which is an LDAP server, to retrieve the z/OS® user ID that is used as the primary authorization ID.

About this task

You can use the LDAP configuration (ldapcnf) utility to configure and set up a z/OS LDAP server. The LDAP configuration utility requires the ldap.profile input file that is shipped in the /usr/lpp/ldap/etc directory. The ldap.profile file contains the settings that you need to set up the LDAP server.

Procedure

To configure a z/OS LDAP server:

  1. Copy and modify the ldap.profile file based on your own environment.
  2. Issue the following command to run the LDAP configuration utility with the ldap.profile file that you modified: 
    ldapcnf –i ldap.profile

    The LDAP configuration utility generates the following output files:

    • SLAPDCNF member as the LDAP server configuration file
    • SLAPDENV member as the LDAP server environment variable file
    • PROG member for APF authorization
    • GLDSRV procedure for starting the LDAP server
    • DSNAOINI configuration file for Db2 CLI
    • TDBSPUFI Db2 SQL DDL statements for creating the TDBM environment
    • DBCLI Db2 SQL BIND statements for binding the CLI/ODBC packages and plan
    • RACF® member for creating the RACF profiles that protect the LDAP server service task and grant permissions for the user ID to run the LDAP server

    These output files are stored in the OUTPUT_DATASET_NAME that you specified in the ldap.profile file.

  3. Submit the following output JCL files after Db2 is started:
    • DBCLI member file
    • RACF member file
  4. Submit the TDBSPUFI member file by using the Db2 SPUFI interactive tool.
  5. Start the LDAP server from SDSF or the operator's console.

    The name of the LDAP server procedure file is the same as the user ID that is specified on the LDAPUSRID statement. The pre-assigned value is GLDSRV.

    To start the LDAP server from SDSF, enter: 

    /s GLDSRV

    To start the LDAP server from the operator's console, enter: 

    s GLDSRV
  6. Copy the schema.user.ldif file from the /usr/lpp/ldap/etc directory to a local directory
  7. Use the following ldapmodify utility to modify the schema entry for the TDBM backend 
    ldapmodify -h ldaphost -p ldapport -D binddn -w passwd -f file

    The following example shows how to use the ldapmodify utility:

    ldapmodify –h v25ec099.svl.ibm.com –p 3389 
–D “cn=LDAP Administrator” 
–w secret –f schema.user.ldif

    At the top of the schema.user.ldif file, find the following line, and supply the appropriate TDBM suffix in that line

    dn: cn=schema, <suffix>

    The suffix is the same value that is used in the TDBM_SUFFIX statement in the ldap.profile file, as in the following example:

    dn: cn=schema, o=IBM, c=US
  8. Use the ldapadd utility to load the suffix entry and to create a user ID that is used by the SAF user mapping plug-in for binding with the LDAP server. You can use the following ldapadd utility statement: 
    ldapadd –h ldaphost –p ldapport –D binddn –w passwd –f file

    The following is an example of using the ldapadd utility:

    ldapadd –h v25ec099.svl.ibm.com –p 3389 
–D “cn=LDAP Administrator” 
	–w secret –f setup.ldap.ldif