Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
HCD LDAP backend: Structure and mode of operation z/OS HCD User's Guide SC34-2669-00 |
|
HCD LDAP backend: Structure and mode of operationThe HCD LDAP backend is plugged into the IBM Tivoli Directory Server for z/OS. It is configured using the IBM Tivoli Directory Server for z/OS configuration file (typically called ds.conf). The HCD LDAP backend is similar to the RACF backend SDBM. As with SDBM, the main function of the HCD LDAP backend is to mediate between the IBM Tivoli Directory Server for z/OS and an external component, in this case HCD. HCD retains control over the IODFs; update requests are validated, processed, and the results stored by HCD in the appropriate IODF. Since it is HCD that processes the requests, updates through the IBM Tivoli Directory Server for z/OS preserve the integrity of the IODFs. Thus, the HCD portion of the DIT must reflect the data structure of HCD exactly. For this reason, rather strict rules (as compared to the DB2 backend TDBM) have to be observed when requesting an update of IODF data through the IBM Tivoli Directory Server for z/OS. Access control to the HCD LDAP backend is based on RACF permissions for user IDs, not (as is the usual practice) on LDAP Access Control Lists (ACLs). The HCD LDAP backend performs all services on behalf of a user ID. It accepts a service request only on condition that the associated user ID has previously been bound to (authenticated by) SDBM. If this condition is fulfilled, the HCD LDAP backend switches to this user ID and tries to perform the request using only the RACF access rights granted to the user ID in question. In this way, access to IODFs through the LDAP interface and through the ISPF interface are both controlled by the same security mechanism. Note that this will have some consequences for the configuration of the IBM Tivoli Directory Server for z/OS. The HCD LDAP backend uses several instances of HCD to perform operations on IODFs. Each of these instances serves exactly one request at a time on behalf of a user ID. This strategy provides an easy method of handling the validation of modified configuration data and serialization of client requests. The HCD instances are managed according to the following principles:
A special feature of the HCD LDAP backend is that it supports transactions. A transaction is a sequence of requests which is only executed as a whole. If one of the individual requests fails, the whole transaction is not carried out. This provides additional protection against inconsistency of data. Note, however, that transactions are only supported in conjunction with LDAP V3, not with LDAP V2. |
Copyright IBM Corporation 1990, 2014
|