Configuration file options

The following list is an alphabetic listing of the configuration file options. For each option, a table shows an X in the areas (Global, TDBM, LDBM, SDBM, GDBM, CDBM, and EXOP) of the configuration file where the option can be used.

Some GDBM options can only be specified when GDBM is configured to be Db2®-based and others can only be used when GDBM is file-based. See Configuration file checklist for a list of which options can be configured for each type of GDBM configuration.

aclSourceCacheSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the maximum number of entries to store in the ACL Source cache. This cache holds information about ACL definitions within the database. Retrieval of information from this cache avoids database read operations when access permissions are being resolved.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 100

adminDN dn
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

The distinguished name (DN) of the root administrator for this LDAP server. Typically, this DN has unrestricted access to all entries in the directory except for entries in backends that are read-only replicas. When the LDAP server is in maintenance mode, the LDAP root administrator has unrestricted access to all entries in the directory. Select a name that is descriptive of the person that knows and administers the LDAP server. The format of the name must be in DN format that is described in Data model. You might want the DN to have the same suffix as one of the suffix option values in the configuration file.

Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up this root administrator DN. Additional root administrators can be defined by using the administrative group and assigning the root administrator role. For more information, see Administrative group and roles for more information.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

adminPW string
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

The password of the root administrator (adminDN) for this server.

Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your administrator password.

Use of the adminPW configuration option is discouraged in production environments. Instead, specify the adminDN as the distinguished name of an existing entry in the directory information tree. This eliminates passwords from the configuration file.

allowAnonymousBinds {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies whether an LDAP client can perform unauthenticated operations on the LDAP server. If off, clients must explicitly bind to the server with a distinguished name. If on, a client might access the server without binding with a distinguished name and has access to data as a member of the cn=anybody group. For more information about access control of directory data, see Using access control.

Default = on

altServer ldap_URL
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies an equivalent server to this LDAP server. It might not be a replica, but contains the same naming contexts. There is no required format for the value. However, LDAP URL format is most commonly used and supported by LDAP clients. See listen ldap_URL for a description of LDAP URL format. The option might be specified multiple times to define more than one alternative server. The alternative servers are placed in the altServer attribute in the root DSE. Those alternative servers can be queried by LDAP clients to determine other servers that might be contacted in case this server is not available later.

In the following example, myldap.server.com is the hostname and 3389 is the port number of the LDAP directory URL:
altServer ldap://myldap.server.com:3389
In the following example,
5f1b:df00:ce3e:e200:20:800:2078:e3e3 
is the IPv6 address and 389 is the port number of the LDAP URL:
altServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
armName name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the name that the LDAP server uses when it is registering with the Automatic Restart Management (ARM) service. The name is 1-7 characters and can consist of letters, numbers, and the special characters $ # @ _. Lowercase letters are converted to uppercase. The first character can be a number. The system name is appended to form the element name. The armName configuration option must be specified if there are multiple instances of the LDAP server on the same system and ARM processing is enabled. For more information about the automatic restart manager, see Using automatic restart management in z/OS MVS Setting Up a Sysplex.

For example, for system DCESEC4, specifying:
armName LDAP1
results in the element name LDAP1_DCESEC4.

The LDAP server registers with ARM using the element name formed from the armName configuration option, an element type of SYSLDAP, an element bind of CURJOB, and a termination type of ELEMTERM. For more information about these parameters and how to override them using the current ARM policy, see IXCARM — Request Automatic Restart Management Services in z/OS MVS Programming: Sysplex Services Reference.

Default = GLDSRVR

attrOverflowCount count
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

For TDBM, specifies the number of attribute values that are required to store the attribute values in a long attribute value table. The choice of this value allows large multi-valued attributes such as group membership lists to be stored in a separate table with its own index.

For LDBM and CDBM, specifies the number of attribute values that are required to store the attribute values in an internal indexed table, providing quicker access to the values of large multi-valued attributes such as group membership lists.

The value must be either 0 or in the range 64 to 2147483647. A value of 0 disables attribute overflow that is based on the attribute value count.

Default = 512

attrOverflowSize num-of-bytes
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies, in bytes, the minimum size of an attribute value that is required to store the value in a long attribute value table. The choice of this value allows large attribute values (such as JPEG and GIF files) to be stored in a separate Db2 table in a separate Db2 table space. The maximum size of this value is 2147483647. A value of 0 disables attribute overflow that is based on attribute size.

Default = 255

audit {on | off | all,operations | error,operations | none,operations}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Turns LDAP auditing on or off and specifies which operations are to be audited and the associated audit level. When auditing is on, an LDAP SMF type 83 subtype 3 audit record is generated for an operation if the operation is specified on an audit option and the operation result matches the audit level.

This option can be specified multiple times, once to turn auditing on or off and once or more times for each audit level to specify the operations to audit for that level. Multiple operations can be specified for a level by either putting a + between them on the audit option or by specifying multiple audit options with the same level.

Operations can be audited all the time or only when they fail. The following audit levels are supported:
all
An LDAP audit record is generated for the specified operations.
error
An LDAP audit record is generated for the specified operations when they fail.
none
An LDAP audit record is not generated for the specified operations.

The supported values for operations can be one or more of: add, bind, compare, connect, delete, disconnect, exop, modify, modifydn, search, unbind.

If an operation is specified in more than one level, the last level is used for the operation. If an operation is not specified in any level, the level defaults to none for that operation.

The LDAP server AUDIT operator modify command can be used to change the audit settings and to turn audit on or off while the LDAP server is running. For more information, see LDAP server operator commands.

Default = off

For example, the following audit options turn on auditing for modify, search, and bind failures and for all add operations. The other operations are not audited.
audit error,modify+search+bind
audit all,add
audit on
blockedConnectionTimeout num-seconds
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the amount of time in seconds that the LDAP server waits for a blocked send operation to complete on a client connection. When a send operation times out, the client connection is dropped. This option is useful to avoid server commThreads from being used by client applications that fail and stop receiving responses. If too many, or all threads get blocked indefinitely, a denial of service condition occurs.

The blocked connection is detected when an EWOULDBLOCK condition is returned (or GSK_WOULD_BLOCK condition for SSL connections). This might not occur until some time after an errant client stops receiving data and the TCP buffers fill. Therefore, it is possible for a blocked connection to remain active slightly longer than the blockedConnectionTimeout value.

The value must be between 0 and 2678400 (equal to 31 days). A value of 0 indicates that a blocked connection remains active indefinitely.

Default = 0 (indefinitely)

changeLogging {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
        X    

Turns change logging on or off.

When change logging is on, all change logging operations are allowed. When change logging is off, change log entries can be searched, modified, and deleted, but no new change log entries can be created. Also, no automatic trimming of the change log is performed.

Default = on

changeLoggingParticipant {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X   X X  

Allows or disallows change logging for changes that are made to entries in this backend. If it is specified in GDBM, changeLoggingParticipant controls the logging of modifications to the LDAP server schema entry.

This option does not turn on or off change logging. That is done by the changeLogging option.

Default = on

changeLogMaxAge nnn
Global TDBM LDBM SDBM GDBM CDBM EXOP
        X    

Specifies the maximum age in seconds of an entry in the change log. Change log entries are deleted when they have been in the change log longer than this value, except if changeLogging off is specified. Changes to changeLogMaxAge apply only to entries that were written after the change was made. For example, if you are using the default where records are not deleted and then update to 60 seconds, only new records are deleted after 60 seconds. Existing entries are not deleted after 60 seconds.

The value must be between 0 and 2147483647. A value of 0 indicates that there is no maximum.

Default = 0

changeLogMaxEntries nnn
Global TDBM LDBM SDBM GDBM CDBM EXOP
        X    

Specifies the maximum number of entries that the change log can contain. If the number of change log entries exceeds this value and changeLogging off is not specified, change log entries with the lowest change numbers are deleted. If the change log is Db2-based, change log entries are deleted until the number of remaining entries is 95% of the maximum. If the change log is file-based, change log entries are deleted until the number of remaining entries is the maximum. The value must be between 0 and 2147483647. A value of 0 indicates that there is no maximum.

Default = 0

commitCheckpointEntries nnn
Global TDBM LDBM SDBM GDBM CDBM EXOP
    X   X X  

Specifies the maximum number of entries in the checkpoint file. An entry is added to the LDBM, CDBM, or file-based GDBM checkpoint file each time a directory entry is added, changed, deleted, or renamed. When the maximum number is reached, the entries in the checkpoint file are merged into the database file and the entries are removed from the checkpoint file. The value must be between 0 and 2147483647. A value of 0 indicates that there is no maximum.

Default = 10000

commitCheckpointTOD hh:mm
Global TDBM LDBM SDBM GDBM CDBM EXOP
    X   X X  

Specifies a time of day at which the checkpoint file is merged into the database file. An entry is added to the LDBM, CDBM, or file-based GDBM checkpoint file each time a directory entry is added, changed, deleted, or renamed. Every day at the specified time, the entries in the checkpoint file are merged into the database file and the entries are removed from the checkpoint file. The value must be between 00:00 and 23:59. Specify a value outside this range to disable time of day checkpoint processing.

Default = 00:00

commThreads num-threads
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the number of threads to be initialized for the communication thread pool. This thread pool handles the connections between the LDAP server and its clients. You might want to have commThreads set to approximately two times the number of processors that are running in your LPAR. However, this is a general rule depending upon the activity that your LDAP server experiences.

Default = 10

The commThreads option deprecates the maxThreads and waitingThreads options, that are no longer evaluated by the LDAP server.

database dbtype dblibpath [name]
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X X X X X

Marks the beginning of a new database section. All global options must appear before the first database section. All options after the database option pertain to this backend until another database option is encountered.

  • For dbtype:
    • Specify tdbm (Db2-based), ldbm (file-based), sdbm (RACF®-based), gdbm (Db2-based or file-based), cdbm (file-based), or exop (extended operations).
      Notes:
      1. The server compatibility level must be at least 5 when the CDBM backend is configured. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about the serverCompatLevel configuration option.
      2. The EXOP backend is deprecated.
  • For dblibpath:
    • This is the file name of the shared library (DLL) containing the backend database code. Unless you have changed the names of the LDAP DLLs, specify GLDBTD31/GLDBTD64 when dbtype is tdbm, GLDBTD31/GLDBTD64 when dbtype is ldbm, GLDBTD31/GLDBTD64 when dbtype is sdbm, GLDBTD31/GLDBTD64 when dbtype is gdbm, GLDBTD31/GLDBTD64 when dbtype is cdbm, and GLDBTD31/GLDBTD64 when dbtype is exop.
      Notes:
      1. Both DLL names must be specified for dblibpath as previously shown. For example, to use the SDBM backend, specify the following in the LDAP server configuration file:
        database sdbm GLDBSD31/GLDBSD64
      2. In the job log, the LDAP server writes the DLL name that is loaded by the LDAP server. For example, if the LDAP server is run in 31-bit mode with the SDBM backend enabled, the following is written to the job log:
        database sdbm GLDBSD31 SDBM-0003

        If the LDAP server is run in 64-bit mode with the SDBM backend enabled, the following is written to the job log:

        database sdbm GLDBSD64 SDBM-0003
  • For name:
    • This value is a name that is used to identify this backend. You cannot specify schema, rootDSE or Monitor as the name. A name is generated if no name is specified for a backend. However, a name must be specified if the multiserver on option is specified for this backend and the name must not be longer than 8 characters. In addition, when multi-server mode is active, the same name must be specified for each instance of the backend within the cross-system group.
databaseDirectory name
Global TDBM LDBM SDBM GDBM CDBM EXOP
    X   X X  

Specifies the name of the directory containing the data files that are used by the backend to store directory data. A fully qualified directory path must be specified. A unique directory must be specified for each backend. In addition, when multi-server mode is active, the same directory path must be specified for each instance of the backend within the cross-system group.

LDBM default = /var/ldap/ldbm

GDBM default = /var/ldap/gdbm

CDBM default = /var/ldap/schema if schemaPath not specified, else schemaPath option setting

dbuserid userid
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies a Db2 user ID that is the owner of the Db2 tables. When specified in a GDBM backend section, this option indicates that the GDBM backend is Db2-based and not file-based.

Note: The dbuserid value must be unique within the configuration file. Multiple backends on an LDAP server cannot share a database.
db2CheckHealth {on|off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

The db2CheckHealth option controls whether the TDS-Db2 health check is enabled for the current backend.

Default: off

The following options are related to the configuration option, db2CheckHealth:

Table 1. Options for db2CheckHealth
Configuration option Parameter Utility Space Default Description
db2ExtentLimit integer REORG Index or Table 254 Specifies the number of physical extents.
db2RRIAppendInsertPct double REORG Index 20 Specifies the ratio of the number of index entries that were inserted with a key value greater than the maximum key value in the index space or partition, to the total number of index entries.
db2RRIDeletesAbs integer REORG Index 0 Specifies the sum of the number of index entries deleted.
db2RRIDeletesPct double REORG Index 30 Specifies the ratio of the sum of the number of index entries that were deleted, to the total number of index entries.
db2RRIInsertsAbs integer REORG Index 0 Specifies the sum of the number of index entries that were inserted.
db2RRIInsertsPct double REORG Index 30 Specifies the ratio of the total number of index entries that were inserted, to the total number of index entries.
db2RRILeafLimit double REORG Index 10 Specifies the ratio of the number of index page splits, in which the higher part of the split page was far from the location of the original page, to the total number of active pages.
db2RRIMassDelLimit integer REORG Index 0 Specifies the sum of the number of mass deletes of index entries.
db2RRINumLevelsLimit integer REORG Index 0 Specifies the number of levels in the index tree that were added or deleted.
db2RRIPseudoDeletePct double REORG Index 5 (Data sharing) or 10 (Non-data sharing) Specifies the ratio of the number of index entries that were pseudo-deleted, to the total number of index entries.
db2RRTDataSpaceRat double REORG Table -1 Specifies the ratio of the space allocated, to the actual space used.
db2RRTDeleteAbs integer REORG Table 0 Specifies the total number of delete operations.
db2RRTDeletesPct double REORG Table 25 Specifies the ratio of the total number of delete operations, to the total number of rows.
db2RRTDisorgLOBPct double REORG Table 50 Specifies the ratio of the number of imperfectly chunked LOBs, to the total number of rows.
db2RRTIndRefLimit double REORG Table 5 (Data sharing) or 10 (Non-data sharing) Specifies the ratio of the total number of overflow records that were created, to the total number of rows.
db2RRTInsertsAbs integer REORG Table 0 Specifies the total number of insert operations.
db2RRTInsertsPct double REORG Table 25 Specifies the ratio of total number of insert operations, to the total number of rows.
db2RRTMassDelLimit interger REORG Table 0 Specifies the sum of the number of mass deletes.
db2RRTUnclustInsPct double REORG Table 10 Specifies the ratio of the total number of unclustered insert operations, to the total number of rows.
db2SRIInsDelAbs integer RUNSTATS Index 0 Specifies the total number of inserted and deleted index entries.
db2SRIDelPct double RUNSTATS Index 20 Specifies the ratio of the total number of inserted and deleted index entries, to the total number of index entries.
db2SRIMassDelLimit integer RUNSTATS Index 0 Specifies the sum of the number of mass deletes.
db2SRTInsDelUpdAbs integer RUNSTATS Table 0 Specifies the number of insert, update, and delete operations.
db2SRTInsDelUpdPct double RUNSTATS Table 20 Specifies the ratio of the total number of insert, update, or delete operations, to the total number of rows.
db2SRTMassDelLimit integer RUNSTATS Table 0 Specifies the sum of the number of mass deletes.
For more information, see Db2 for z/OS® Managing Performance.
db2StartUpRetryInterval num-seconds
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the number of seconds the LDAP server waits before each Db2 connection retry attempt as a consequence of the initial Db2 connection failure.

During LDAP initialization, an initial attempt at establishing a Db2 connection is made if at least one Db2-based backend is defined. If the connection attempt is unsuccessful and the LDAP server is set up to wait for Db2, the LDAP server retries the connection for a specified number of times, waiting for db2StartUpRetryInterval seconds before each retry attempt. While waiting for a connection to Db2, the LDAP server does not receive requests. The value must be between 1 and 999.

Notes:
  1. This option is ignored if no Db2-based backend (TDBM and Db2-based GDBM) is defined or if the db2StartUpRetryLimit configuration option has a zero value or is not specified.
  2. When the server is started as a transition server (started in transition mode), this configuration option is ignored and the server ends if Db2 termination is detected before transition completes. Once transition completes, the setting in the configuration file takes effect. See Updating LDAP configurations settings in a sysplex without server outage.

Default = 45

db2StartUpRetryLimit num-retries
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies a limit of the number of Db2 connection retries the LDAP server attempts as a result of the initial Db2 connection failure.

During LDAP initialization, an initial attempt at establishing a Db2 connection is made if at least one Db2-based backend is defined. If the connection attempt is unsuccessful and db2StartUpRetryLimit has a nonzero value, the LDAP server retries the connection for the specified db2StartUpRetryLimit times, waiting for the specified db2StartUpRetryInterval number of seconds before each retry attempt. When the number of retry attempts equals db2StartUpRetryLimit and a connection to Db2 still cannot be established, all backends that require Db2 fail to configure. While waiting for a connection to Db2, the LDAP server does not receive requests. The value must be between 0 and 99. A value of 0 indicates that no Db2 connection retries are to be attempted.

Notes:
  1. This option is ignored if no Db2-based backend (TDBM and Db2-based GDBM) is defined.
  2. When the server is started as a transition server (started in transition mode), this configuration option is ignored and set to 0 until the transition completes. Once transition completes, the setting in the configuration file takes effect. For more information about the transition server, see Updating LDAP configurations settings in a sysplex without server outage.

Default = 0

db2Terminate {terminate | recover | restore}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies how the LDAP server reacts to a termination of Db2 after the server successfully starts.

If set to terminate, the LDAP server shuts down.

If set to recover, the LDAP server disconnects from Db2 but remains running in order to allow access to non-Db2 backends (for example, SDBM, LDBM, CDBM, and file-based GDBM). When Db2 is once again active, the LDAP server reconnects to Db2. There is no access allowed to Db2-based backends (TDBM and Db2-based GDBM) during the time when Db2 is down. Client requests to those backend are rejected with the LDAP_UNAVAILABLE return code and a reason code message that includes "Db2 Unavailable".

Restore will behave the same as recover but is deprecated.

Notes:
  1. This option is ignored and no Db2 monitoring is done if no Db2-based backend (TDBM and Db2-based GDBM) is configured.

    If a sysplex distributor is used, this configuration option is set to terminate. This allows client requests to be routed to other LDAP servers in the sysplex who can connect to their databases.

  2. When the server is started as a transition server (started in transition mode), this configuration option is ignored and the server ends if Db2 termination is detected before transition completes. Once transition completes, the setting in the configuration file takes effect. See Updating LDAP configurations settings in a sysplex without server outage.

Default = recover

digestRealm hostname
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies a realm name to be used when doing DIGEST-MD5 or CRAM-MD5 SASL authentication binds to the LDAP server. The digestRealm option is used to help calculate a hash for DIGEST-MD5 and CRAM-MD5 authentication binds. Make sure that the hostname is a DNS-host name and not an IP address.

Default = fully qualified host name of the LDAP server if a DNS (domain name server) is active on the system. Otherwise, the default is the name of the host processor.

dnCacheSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the maximum number of entries to store in the Distinguished Name normalization cache. This cache holds information that is related to the mapping of Distinguished Names between their raw form and their canonical form. Retrieval of information from this cache reduces processing required to locate entries in the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 1000

dnToEidCacheSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the maximum number of entries to store in the Distinguished Name to Entry Identifier mapping cache. This cache holds information that is related to the mapping of Distinguished Names in their canonical form and their Entry Identifier within the database. Retrieval of information from this cache avoids database read operations when locating entries within the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 1000

dsnaoini dsname
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the name of the CLI Initialization file or sequential data set (or PDS member) you created in step 4 in Getting Db2 installed and set up for CLI and ODBC. This must be either a fully qualified data set name, a DD name, or a path name. A data set name is not enclosed in quotation marks or prefixed with //, a DD name starts with //:, and a path name starts with / or ./.

There are three ways to specify the CLI initialization file and the search order is as follows:
  1. The DSNAOINI DD statement in the JCL for the LDAP server started task
  2. The DSNAOINI environment variable
  3. The dsnaoini configuration option. If the dsnaoini configuration option is specified for a backend, the option must also be specified, with the same value, for all the TDBM and Db2-based GDBM backends in the configuration file.

Running the LDAP server using data sets gives more information about this process. For information about specifying the CLI initialization file, see Db2 for z/OS in IBM Documentation.. In order for the TDBM or GDBM backend to run, the initialization file must be specified in one of the indicated ways.

enableResources {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
      X      

Specifies whether the SDBM backend supports operations on RACF resources and classes. If on, SDBM accepts operations for the setropts, class, and resource profile entries. LDAP also accepts requests for creating a change log entry for a change to a RACF resource profile. If off, an SDBM search from the suffix does not return these entries and operations (including a change log request) involving these entries are rejected.

Default = off

entryCacheSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the maximum number of entries to store in the Entry cache. This cache holds information that is contained within individual entries in the database. Retrieval of information from this cache avoids database read operations when processing entries within the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 5000

entryOwnerCacheSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the maximum number of entries to store in the entry owner cache. This cache holds information about ACL definitions within the database. Retrieval of information from this cache avoids database read operations when resolving access permissions.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 100

extendedGroupSearching {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

Specifies whether a backend participates in extended group membership searching on a client bind request. If this option is on, group memberships are gathered from this backend during LDAP directory bind processing in addition to the backend in which the bind DN exists. If this option is off, group memberships are not gathered from this backend unless the bind DN exists in this backend.

See Associating DNs, access groups, and additional bind and directory entry access information with a bound user for information about group gathering after a successful bind.

The server control authenticateOnly is supported by the LDAP server so that a client can override both extendedGroupSearching and group membership gathering from the backend where the DN exists. See Supported server controls for more information.

This option applies only to the backend in which it is defined.

Default = off

Start of changeStart of changeextendedSearch {off | basic | advanced}End of changeEnd of change
Start of change
Global TDBM LDBM SDBM GDBM CDBM EXOP
      X      
The extendedSearch option controls the SDBM backend search filters and 4096-line output restriction.
  • If it is set to off, search requests are processed in traditional mode, which supports limited search filters and is subject to the RACF R_admin 4096-line output restriction.
  • If it is set to basic, search requests are processed with basic extended search, which includes limited search filters and removes the 4096-line output restriction.
  • If it is set to advanced, search requests are processed with advanced extended search. This mode supports all the search filters compliant with RFC 4515 (Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters) in addition to the removal of the 4096-line output restriction. For more information about usable search filters, see SDBM search capabilities.

Default = off

End of change
fetchSize num-of-bytes
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies, in bytes, the maximum buffer size that is used when multi-row fetch from Db2 is applicable. The actual buffer size that is used internally is adjusted to a multiple of the row size, and is no smaller than one row. For more information, see TDBM database tuning.

Default = 65536

fileTerminate {terminate | recover}
Global TDBM LDBM SDBM GDBM CDBM EXOP
    X   X X  

Specifies whether the LDAP server ends when file system errors occur. If terminate, the LDAP server ends when a file system error is detected. If recover, the LDAP server continues processing, but the backend experiencing the file system error is set to read-only mode. No updates can be made to the directory controlled by this backend. When the problem is corrected, the backend can be reset to read/write mode using the LDAP server BACKEND operator modify command. See LDAP server operator commands for information about the LDAP server BACKEND modify command.

Default = recover

When the server is started as a transition server (started in transition mode), this configuration option is ignored and the server ends if a file system error is detected before transition completes. Once transition completes, the setting in the configuration file takes effect. See Updating LDAP configurations settings in a sysplex without server outage.

filterCacheBypassLimit num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X   X X  

Specifies the maximum number of returned entries that are allowed in the result set of any individual search that is stored in the Search Filter cache. Search filters that match more than this number of entries are not added to the Search Filter cache. This option is useful for maintaining the effectiveness of the Search Filter cache and Entry cache. It can be used to prevent a few search requests with large result sets from dominating the contents of the Entry cache.

The value must be in the range of 1 to 250. This option is ignored when the filter cache is not in use.

Default = 100.

filterCacheSize num-filters
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X   X X  

Specifies the maximum number of filters to store in the Search Filter cache. This cache holds information that is related to the mapping of search request inputs and the result set. Retrieval of information from this cache avoids database read operations when processing search requests. Individual search requests that return more entries than specified in the filterCacheBypassLimit option are not placed in the cache.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

TDBM Default = 5000
LDBM Default = 5000
CDBM Default = 5000
GDBM Default = 0

healthcheck checkName [checkParms]
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
The healthcheck option defines a health check for the LDAP server.
checkName
Specifies DB2 to define the TDS-Db2 health check, allowing the check to run for any TDBM or Db2-based GDBM backend where you enable it by specifying: db2HealthCheck on.

Specify CONFIG to define the TDS-CONFIG health check.

checkParms
For checkName DB2, optionally specify checkParms as a time of day in the following form:
"TOD hh:mm"
Every day at the specified time, the TDS-Db2 health check is automatically run. The value must be between 00:00 and 23:59. If you specify a value outside of this range or do not specify a value at all, then the health check is not run automatically. The health check can be run manually with the LDAP server HEALTH operator modify command.

For checkName config, the checkParms is not supported and the LDAP server runs the TDS-CONFIG health check once after startup. The LDAP server HEALTH operator modify command can be used to run the check manually.

For more information, see Health checks supported by the LDAP server.

The following are examples of how to define the supported health checks.
healthcheck DB2 "TOD 23:50"
Specifies the time of day when the check is run.
healthcheck DB2
No time of day specified.
healthcheck CONFIG
Specifies the CONFIG health check option.
idleConnectionTimeout num-seconds
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the amount of time in seconds that the LDAP server waits for an idle connection or an idle paged search result set. When an idle connection times out, the client connection is dropped. A connection is not treated as idle if there is an active, long running request on it, or if there is an active persistent search on it, even if no messages have been sent or received on the connection in the idleConnectionTimeout period. When an idle paged search result set times out, the paged search result set is abandoned. Idle connections and idle paged search result sets are detected by the LDAP servers network monitor task, which checks for them every 30 seconds. Therefore, it is possible for an idle connection or idle paged search result set to remain active slightly longer than the idleConnectionTimeout value.

The value must be either 0 or between 30 and 2147483647. A value of 0 indicates that an idle connection or idle paged search results remains active indefinitely.

Default = 0 (indefinitely)

Suggested value = 1800 (30 minutes)

include filename [systemName]
Global TDBM LDBM SDBM GDBM CDBM EXOP
X X X X X X X

Specifies the path and file name of a file to be included as a part of the LDAP server configuration.

See Specifying a value for filename for information about specifying filename.

Note that the LDAP server does not detect loop conditions in a set of included files. Configuration might encounter errors or fail if the same file is processed more than once. While nested include files are supported, including the same file in such a way as to form a loop condition is not supported.

If the system name is specified, the include file is processed only on that system. This allows the LDAP server configuration files to be shared by multiple servers where each server runs on a different z/OS system. System-specific configuration information can then be placed in an include file that is processed only on the system that it applies.

krbIdentityMap {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X X   X  

Specifies if this backend participates in Kerberos identity mapping. If it participates, then the server attempts to map the Kerberos identity that performed the bind to DNs that exist in this backend. The mapped DNs are then used for access control.

Default = off

krbKeytab {krbKeytab | none}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the Kerberos key table that is used by the LDAP server. The key table is used to obtain the encryption key for the Kerberos principal that is associated with the LDAP server. A key table must be provided if Kerberos authentication is used and the Kerberos KDC is not running on the same system as the LDAP server. However, a key table is not necessary if the Kerberos KDC is running on the same system as the LDAP server, the user ID associated with the LDAP server has a RACF KERB segment containing the server principal name, and the user ID associated with the LDAP server has read permission to the IRR.RUSERMAP facility class when the KRB5_SERVER_KEYTAB environment variable in the security server configuration file (krb5.conf) is set to 1. In these cases, the krbKeytab option is either omitted or set to none. Following is an example:
krbKeytab /home/users/u1/keytab

Default = no value

krbLDAPAdmin kerberosIdentityDN
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the Kerberos identity that represents the LDAP root administrator. This option allows the root administrator to bind through Kerberos and still maintain administrative authority. The value for this option must be specified as a DN with the attribute type of ibm-kn. The ibm-kn attribute type is case-sensitive and must match the actual Kerberos identity. Following is an example:
krbLDAPAdmin ibm-kn=LDAPAdmin@MYREALM.COM

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

listen ldap_URL
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies, in LDAP URL format, the IP address (or host name), and the port number where the LDAP server listens to incoming client requests. This option might be specified more than once in the configuration file.

Note the listen value might be established in the configuration file, or it might be established using the -l command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

Default = The server listens on all available and active IPv4 addresses, using port 389. This is equivalent to ldap://:389.

The format of ldap_URL for the listen option to listen on a TCP/IP socket interface is the following. This format is also used for other configuration options whose value is in LDAP URL format, such as altServer, masterServer, and referral.
{ldap:// | ldaps://}[IP_address | hostname | INADDR_ANY | in6addr_any][:portNumber]
The format of ldap_URL for the listen option to listen on the Program Call interface is the following:
ldap://:pc
where:
ldap://
Specifies that the server listen on nonsecure addresses or ports. Note if SSL/TLS is configured for the server, then once a connection is established, the client might switch to secure communication using the Start TLS extended operation. Consider specifying INADDR_ANY or in6addr_any, as this allows the z/OS Communications Server to determine the active interfaces rather than the LDAP server. This is preferable, especially in CINET environments with multiple TCP/IP stacks.
ldaps://
Specifies that the server listen on secure addresses or ports. When a connection is established to the server, the client must begin the SSL/TLS handshake protocol. The sslKeyRingFile option must also be specified when using this format. Consider specifying INADDR_ANY or in6addr_any, as this allows the z/OS Communications Server to determine the active interfaces rather than the LDAP server. This is preferable, especially in CINET environments with multiple TCP/IP stacks.
IP_address
Specifies either the IPv4 or IPv6 address.
hostname
Specifies the host name. If the host name is used for the listen option, all the IPv4 or IPv6 addresses associated with the hostname are obtained from the DNS (Domain Name Server) and the LDAP server listens on each of these active and available IP addresses.
INADDR_ANY
Specifies the INADDR_ANY interface. If specified, the z/OS Communications Server determines the active and available IPv4 TCP/IP interfaces on the system that the LDAP server binds and listens for requests.For more information about the INADDR_ANY interface,see z/OS Communications Server: IP Configuration Guide and GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference.
in6addr_any
Specifies the in6addr_any interface. If specified, the z/OS Communications Server determines the active and available IPv4 and IPv6 TCP/IP interfaces on the system that the LDAP server binds and listens for requests. For more information about the in6addr_any interface,see z/OS Communications Server: IP Configuration Guide and GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference.
portNumber
Specifies the port number. The portNumber is optional. If the port number is not specified for an ldap://, then the default of 389 is used for nonsecure connections. If the port number is not specified for an ldaps://, then the default of 636 is used for secure connections.
  • Range = 1 - 65536

If the serverSysplexGroup option is present in the configuration file, the port number that is specified for this server instance must be the same as the port number specified for all other members of the sysplex group for dynamic workload balancing to function properly.

It is advisable to reserve the port number or numbers that are chosen here in your TCP/IP profile data set. Also, be aware that port numbers less than 1024 might require more specifications. For more information, see z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference.

pc
Specifies that the LDAP server listens for program call (PC) calls from RACF change logging using the z/OS System Authorization Facility (SAF) interface. Only one LDAP server on a system can listen for PC calls.

Note when the listen option is initialized to listen for PC calls on the LDAP server, the listen parameter must not include an IP address or a host name and you cannot specify ldaps.

Following are some examples of how you can specify ldap_URL.

  • If you specify:
    ldap://
    the LDAP server binds and listens on all active and available IPv4 addresses on the system on the nonsecure default port of 389 for incoming client requests. Note this is not the same as ldap://INADDR_ANY, which listens specifically on the INADDR_ANY interface on the nonsecure default port of 389, or the ldap://in6addr_any, which listens specifically on the in6addr_any interface on the nonsecure default port of 389.
  • If you specify:
    ldap://us.endicott.ibm.com:489
    the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses associated with the host name us.endicott.ibm.com on the nonsecure port of 489 for incoming client requests.
  • If you specify:
    ldap://9.130.77.27
    the LDAP server binds and listens on IPv4 address 9.130.77.27 on the default nonsecure port of 389 for incoming client requests.
  • If you specify:
    ldaps://us.endicott.ibm.com
    the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses associated with the host name us.endicott.ibm.com on the default secure port of 636 for incoming client requests.
  • If you specify:
    ldaps://9.130.77.27:736
    the LDAP server binds and listens on IPv4 address 9.130.77.27 on the secure port of 736 for incoming client requests.
  • If you specify:
    ldap://:489
    the LDAP server binds and listens on all active and available IPv4 addresses on the system on the nonsecure port of 489 for incoming client requests. Note that this is not the same as ldap://INADDR_ANY:489, which listens specifically on the INADDR_ANY interface on the nonsecure port of 489, or ldap://in6addr_any:489, which listens specifically on the in6addr_any interface on the nonsecure port of 489.
  • If you specify:
    ldaps://:777
    the LDAP server binds and listens on all active and available IPv4 addresses on the system on the secure port of 777 for incoming client requests. Note that this is not the same as ldaps://INADDR_ANY:777, which listens specifically on the INADDR_ANY interface on the secure port of 777, or ldaps://in6addr_any:777, which listens specifically on the in6addr_any interface on the secure port of 777.
  • If you specify:
    ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
    the LDAP server binds and listens on the IPv6 address 5f1b:df00:ce3e:e200:20:800:2078:e3e3 on the nonsecure port of 389 for incoming client requests.
  • If you specify:
    ldaps://[::ffff:9.130.77.75]:777
    the LDAP server binds and listens on the IPv4 mapped IPv6 address ::ffff:9.130.77.75 on the secure port of 777 for incoming client requests.
  • If you specify:
    ldap://[::]
    the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses on the system on the nonsecure default port of 389 for incoming client requests. Note this is not the same as ldap://INADDR_ANY, which listens specifically on the INADDR_ANY interface on the nonsecure default port of 389, or ldap://in6addr_any, which listens specifically on the in6addr_any interface on the nonsecure default port of 389.
  • If you specify:
    ldap://:pc
    the LDAP server binds and listens for PC calls from RACF change logging using the SAF interface in to the server.
Note: The listen parameter deprecates the security, port, and securePort options in the configuration file. If there is a listen option that is specified in the configuration file along with either security, port, or securePort, the listen option takes precedence over what has been specified for security, port, or securePort. If using an earlier version of the configuration file with security, port, or securePort, the LDAP server is configured to listen on the port numbers specified for securePort, port, or both depending upon the security setting. However, configure the LDAP server using the listen configuration option.
logfile filename
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the location of the file where the activity log is written when logging is enabled. See Activity logging for more information.

See Specifying a value for filename for information about specifying the filename.

Default =/etc/ldap/gldlog.output

logFileFilter filter
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies a client IP address filter that is used to determine the activity that is included or excluded from being logged in the activity log file. Client requests originating from IP addresses allowed by the filter are written to the activity log file specified in the logfile configuration option.

The only supported activity log filters are ones using the ibm-filterIP attribute type to designate the client IPv4 addresses or IPv6 addresses with no brackets that are to be included or excluded from the activity log file. Host names and subnet masks are not supported in these filters. See Activity logging for more information.

Default = ibm-filterIP=*

logFileMicroseconds {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Controls all generated log records containing microseconds in their time stamps. This setting cannot be modified by a LOG operator modify command. The default does not include microseconds in the time stamps. If on, all activity log time stamps include microseconds. If off, microseconds are not included.

Default = off

The GLDLOG_MICROSECONDS environment variable, which can also control this behavior, is now deprecated. If both the keyword and the environment variable are set, the keyword setting is used.

logFileMsgs {msgs | noMsgs}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Controls log records that are generated when messages are created by the LDAP server. The supported options are:
msgs
Messages that are generated by the LDAP server are written to the activity login in addition to the normal target.
noMsgs
Indicates that messages generated by the LDAP server are not written to the activity log.

Default = noMsgs

The GLDLOG_MSG environment variable, which can also control this behavior, is now deprecated. If both the keyword and the environment variable are set, the keyword setting is used.

logFileOps {writeOps | allOps | summary | noOps}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Controls which operations generate log records. The supported options are:
writeOps
Log records are created for add, delete, modify, modrdn, and extended operations.
allOps
Log records are created for writeops, bind, search, compare, abandon, and unbind operations.
summary
Summary statistics are logged every hour. If any logging is collected, summary data is created hourly.
noOps
No log record is created.

Default = noOps

The GLDLOG_OPS environment variable, which can also control this behavior, is now deprecated. If both the keyword and the environment variable are set, the keyword setting is used.

logFileRecordType {begin | both | mergedRecord}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Controls when log records are generated. The supported options are:
begin
Log records are created at the beginning of requests.
both
Log records are created at the beginning and the end of requests.
mergedRecord
mergedRecord log records are created for all operations that are logged. These records are generated when the operation ends and contain additional information fields that are also provided in the audit log.

Default = begin

The GLDLOG_TIME environment variable, which can also control this behavior, is now deprecated. If both the keyword and the environment variable are set, the keyword setting is used.

If set when using the GLDLOG_TIME environment variable, the possible values are time, notime, and mergedRecord.

logFileRolloverDirectory name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the name of the z/OS UNIX System Services file system directory where the activity log files are archived or rolled over or the Generated Data Group (GDG) base data set. If a z/OS UNIX System Services file system directory is specified, it must be a fully qualified directory path. If a GDG base data set name is specified, the logfile configuration option must specify the same GDG base data set name. If the logfile configuration option specifies a file that exists in a z/OS UNIX System Services file system directory and this option is not specified, the archived or rolled over activity log file is kept in the same directory. See Activity logging for more information about activity log archiving or rollover.

Default = Directory that is specified by the logfile configuration option.

logFileRolloverSize nnn[K | M | G]
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the maximum size in bytes of the activity log file. When the maximum size is reached, the activity log file is rolled over or archived. The value nnn can be followed by a K, M, or G to indicate kilobytes, megabytes, or gigabytes, in that order, and must be at least 10K (10240) but no larger than:
  • 18446744073709551615
  • 18014398509481983K
  • 17592186044415M
  • 17179869183G
Specify 0 to disable activity log file archiving or rollover based on size. See Activity logging for more information about activity log archiving or rollover.

Default = 0

logFileRolloverTOD hh:mm
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the maximum size in bytes of the activity log file. When the maximum size is reached, the activity log file is rolled over or archived. The value nnn can be followed by a K, M, or G to indicate kilobytes, megabytes, or gigabytes, in that order, and must be at least 10K (10240) but no larger than:
  • 18446744073709551615
  • 18014398509481983K
  • 17592186044415M
  • 17179869183G
Specify 0 to disable activity log file archiving or rollover based on size. See Activity logging for more information about activity log archiving or rollover.

Default = 0

Start of changelogFileSync num-seconds End of change
Start of change
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the log file synchronization in seconds. A nonzero value enables the asynchronous activity logging mode, the log records will be stored in cache temporarily and periodically be written to the log file. The interval stands for the number of seconds that the LDAP server waits before next writing.

The value must be either 0 or between 30 and 600. A value of 0 indicates that asynchronous activity logging will be disabled and client activities log will be immediately written to file without cache.

Default = 0

End of change
logFileVersion {0 | 1}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the activity log version. The versions are 0 and 1. See Activity logging for more information about the activity log version.

Default = 0

masterServer ldap_URL
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X        

Specifies for this backend the location of this replicas master server for basic replication. There is no required format for the value, however the z/OS LDAP client can only follow a masterServer value if it is in LDAP URL format. See listen ldap_URL for a description of LDAP URL format. The presence of this option indicates that this LDAP server is a basic replication read-only replica for this backend and receives updates from a master LDAP server. Any other update requests for this backend received directly by the LDAP server is redirected to the master server. You must also specify the masterServerDN option in this section of the configuration file. The master server must contain all the suffixes that are defined for this backend.

The masterServer option can be specified multiple times if there are multiple master servers. In this case, the LDAP client attempts to contact each server in the list until it is able to establish a connection with one of the servers.

The masterServer option indicates that basic replication is configured for this backend section. Therefore, the masterServer configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

In the following example, myldap.server.com is the host name and 3389 is the port number of the LDAP URL:
masterServer ldap://myldap.server.com:3389
In the following example, the IPv6 address of 5f1b:df00:ce3e:e200:20:800:2078:e3e3 is the IP address and 389 is the port number of the LDAP URL.
masterServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
masterServerDN dn
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X        

Specifies the distinguished name (DN) can always make updates to this basic replication read-only replica backend. The value must be in DN format that is described in Data model. The presence of this option indicates that this LDAP server is a read-only replica for this backend and receives updates from a master LDAP server using the specified DN. The specified DN is a special entry that is only used when replicating to this read-only replica backend. The DN has unrestricted update, compare, and search access for all entries in the backend on this server, even if the LDAP server is in maintenance mode. When in maintenance mode, only this DN and an LDAP root administrator can access and update the entries in this backend. All other update operations for this backend received by the replica server are redirected to the master server. Care must be taken when updating this backend to ensure that the replica server remains synchronized with the master server.

You must also specify the masterServer option in this section of the configuration file. You cannot specify the peerServerDN option.

The masterServerDN option indicates that basic replication is configured for this backend section. Therefore, the masterServerDN configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

You might want the DN to have the same suffix as one of the suffix option values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your master server DN.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

masterServerPW string
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X        

Specifies the password for the masterServerDN that can make updates for this backend. This option is only applicable for a basic replication read-only LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the master server password.

Note:
  1. Use of the masterServerPW configuration option is discouraged in production environments. Instead, specify your masterServerDN as the distinguished name of an existing entry in the directory information tree, including a userpassword attribute. This eliminates passwords from the configuration file.
  2. Password policy does not apply to the entry specified in the masterServerDN configuration option when the password is specified in the masterServerPW configuration option.
Note:

The masterServerPW option indicates that basic replication is configured for this backend section. Therefore, the masterServerPW configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

maxConnections num-connections
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the maximum number of concurrently connected clients that the LDAP server allows.

Range = 30 to 65535

Default = operating system maximum

The LDAP server limits the number of client connections by restricting the number of file and socket descriptors that are used by the LDAP server. Some of the descriptors are used by the LDAP server for its own file descriptors and passive socket descriptors. The value that is specified for this option takes into account that the server uses approximately 10 descriptors for internal functions and uses more depending upon the number of additional sockets that are used as passive sockets for connection attempts by clients.

The maximum number of client connections is further restricted by:
  • The maximum number of files a single process can have concurrently active.

    The MAXFILEPROC statement for BPXPRMxx and the FILEPROCMAX option on the RACF altuser command are used to set the limit. Only processes with superuser authority can adjust the limit beyond the limit that is specified by MAXFILEPROC and FILEPROCMAX. Attempts to exceed this limit by non-superuser processes might be audited by the security manager.

  • The maximum number of sockets that are allowed by the TCP/IP socket file system.

    The MAXSOCKETS option on the NETWORK statement for BPXPRMxx sets this limit.

Setting these limits too high can affect system performance by using too many resources and deprive other functions of their share of the same resources.

multiserver {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X   X X  

Indicates the operating mode that the LDAP server runs for this backend. Specifying on indicates the server runs in multi-server mode for this backend (see Configuring the operational mode). In multi-server mode, the LDAP server shares directory data with other instances of the LDAP server running within the sysplex. The serverSyplexGroup configuration option must also be specified when running in multi-server mode. Specifying off indicates the server runs in single-server mode for this backend.

Default = off

You can configure a backend to operate in single-server mode while another backend operates in multi-server mode except when GDBM or CDBM is configured. When CDBM or GDBM is configured, all TDBM, LDBM, GDBM, and CDBM backends must be configured to use the same operating mode.

nativeAuthSubtree {all | dn}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

Specifies the distinguished name of a subtree where all of its entries are eligible to participate in native authentication. This option can appear multiple times to specify all subtrees that use native authentication. If this option is omitted or is set to all, then the entire directory is subject to native authentication. This option is ignored if useNativeAuth selected or all is not specified.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

Default = all

nativeUpdateAllowed {on | off | reset}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

When set to on or reset, enables native password or password phrase changes in the security server to occur through a modify request to the TDBM, LDBM, or CDBM backend if the useNativeAuth selected or all option is specified.

When set to reset, this option also allows a bind to the backend to succeed even if the specified native authentication password is expired, if the PasswordPolicy control is included in the bind request. After the bind, only the special delete-add modification of the bound user's userpassword attribute can be performed to reset the native authentication password. Once complete, other LDAP operations can be performed.

This option does not affect the ability to change a native password or password phrase during a bind operation.

Note: z/OS LDAP password policy does not apply to entries participating in native authentication.

Default = off

operationsMonitor {ip | ipAny | all}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the search patterns that are monitored by the LDAP server. Operations monitor supports search patterns of searchStats and searchIPStats. A searchStats pattern consists of the search parameters (search base, scope, filter, and attributes to be returned) and status (SUCCESS or FAILURE). A searchIPStats pattern consists of the same elements as in the searchStats pattern, but also includes the client IP address. If operations monitor is enabled, LDAP monitors search statistics for the types of search patterns that are configured. See Operations monitor for more information about operations monitor.

If set to ip, then only searchIPStats patterns are monitored. This option setting is useful in determining if there are any specific clients spamming the LDAP server.

If set to ipAny, then only searchStats patterns are monitored. This option is useful for evaluating the performance of search patterns.

If set to all, the operations monitor monitors both searchStats and searchIPStats patterns. Therefore, each search is included in search patterns and matches the searchStats pattern and one matches the searchIPStats pattern.

Default = ipAny

operationsMonitorSize num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the maximum number of search patterns for which the operations monitor gathers statistics. The value must be between 0 and 2147483647. A value of 0 indicates that the operations monitor is turned off. When the operations monitor is turned off, the cn=operations,cn=monitor entry is not returned on a cn=monitor search.

Default = 1000

pcIdleConnectionTimeout num-seconds
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the amount of time in seconds that an idle connection remains valid over the LDAP PC (program call) callable interface. After the specified time, the PC connection is considered no longer in use and any resources that are associated with the connection are released. Idle connections are detected when the LDAP server receives a new PC connection or a request on an existing PC connection.

The value must be either 0 or between 30 and 2147483647. A value of 0 indicates that an idle connection remains indefinitely.

Default = 0 (indefinitely)

Suggested value = 0

pcThreads num-threads
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the number of threads to be initialized to handle incoming program call (PC) calls using the z/OS SAF interface into the LDAP server. No threads are used if the program call interface is not active. The value must be in the range of 2 to 2147483647.

Default = 10

peerServerDN dn
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X        

Specifies the distinguished name (DN) that can make updates to this basic replication peer replica backend. The value must be in DN format that is described in Data model. The presence of this option indicates that this LDAP server is a peer replica for this backend, and can receive updates from another peer LDAP server using the specified DN and processing updates that are received from clients. The specified DN is a special entry that is only used when replicating to this peer replica backend. The DN has unrestricted update, compare, and search access for all entries in the backend on this server, even if the LDAP server is in maintenance mode. When in maintenance mode, only this DN and an LDAP root administrator can access and update the entries in this backend.

Update operations for this backend received from you bound as peerServerDN (or as an LDAP root administrator when in maintenance mode) are performed on the local database and are not sent to any peer and read-only replica servers. When not in maintenance mode, all other update operations for this backend are performed on the local database and are sent to the other peer and read-only replica servers. Update operations from a peer or a master are never replicated. It does not matter if you are in maintenance mode or not. Updates that are made by an LDAP root administrator are replicated unless the server is in maintenance mode.

You cannot also specify the masterServerDN option in this section of the configuration file.

The peerServerDN option indicates that basic peer-to-peer replication is configured for this backend section. Therefore, the peerServerDN configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

You might want the DN to have the same suffix as one of the suffix option values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your peer replica DN.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

peerServerPW string
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X        

Specifies the password for the peerServerDN that can make updates for this backend. This option is only applicable for a basic replication peer replica LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the peer server password.

Note:
  1. Use of the peerServerPW configuration option is discouraged in production environments. Instead, specify your peerServerDN as the distinguished name of an existing entry in the directory information tree, including a userpassword attribute. This eliminates passwords from the configuration file.

    The peerServerPW option indicates that basic peer-to-peer replication is configured for this backend section. Therefore, the peerServerPW configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

  2. Password policy does not apply to the entry specified in the peerServerDN configuration option when the password is specified in the peerServerPW configuration option.
persistentSearch {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X   X X  

Allows or disallows persistent search for changes that are made to entries in a backend. When off is specified, persistent search requests for this backend are rejected. See PersistentSearch for more information about persistent search.

Default = off

plugin pluginType pluginName pluginInit [pluginParameters]
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Defines a plug-in extension to the LDAP server. Writing an LDAP server plug-in and using the SLAPI service routines are described in z/OS IBM Tivoli Directory Server Plug-in Reference for z/OS. A sample plug-in and its makefile are included in /usr/lpp/ldap/examples. Building and using the sample plug-in are described in z/OS IBM Tivoli Directory Server Plug-in Reference for z/OS.
  • For pluginType:
    • Specify preOperation, clientOperation, or postOperation. A preOperation plug-in is called by the LDAP server before a client request is processed. A clientOperation plug-in is called to process a client request. A postOperation plug-in is called after a client request is processed. A clientOperation plug-in is called when a client request matches a distinguished name suffix or extended operation object identifier that is registered for the plug-in.
  • For pluginName:
    • Specify the name of the shared library (DLL) containing the plug-in code. A plug-in that supports both 31-bit and 64-bit addressing modes specifies both file names that are separated by a slash, "/", such as plugin31/plugin64. A plug-in that supports only 31-bit addressing mode specifies one file name, such as plugin31.
  • For pluginInit:
    • Specify the name of the plug-in initialization routine. This plug-in routine is called by the LDAP server to allow the plug-in to initialize. The plug-in initialization routine registers supported message types, distinguished name suffixes, and extended operation object identifiers that are supported by the plug-in.
  • For pluginParameters:
    • Optionally, specify plug-in parameters. The plug-in can retrieve these parameters using the slapi_pblock_get() routine.
The ICTX and remote crypto plug-ins are plug-in extensions that are shipped by the z/OS LDAP server that provide more function.
  • The ICTX plug-in allows resource managers that do not exist on z/OS to centralize authorization decisions and security event logging requests by using RACF. This enables consolidation of security authorization and auditing functions. See ICTX plug-in for more information.
  • The remote crypto plug-in allows remote applications the ability to access PKCS#11 or CCA callable services that are implemented within ICSF. PKCS#11 is one of the cryptographic standards of Public-Key Cryptographic Standards (PKCS) that defines a platform-independent programming interface to cryptographic tokens. CCA is regarding the IBM® Common Cryptographic Architecture. See Remote crypto plug-in for more information.
port num-port
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Note: The port option has been deprecated by the listen option. See listen ldap_URL for information about the listen option.

Specifies the TCP/IP port used by the LDAP server for non-SSL communications. The value must be in the range of 1 to 65535.

Default = 389

If the serverSysplexGroup option is present in the configuration file, the port number that is specified for this server instance must be the same as the port number specified for all other members of the sysplex group for dynamic workload balancing to function properly.

The port number might be established in the configuration file, or it might be established using the -p command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

It is advisable to reserve the port number that is chosen here in your TCP/IP profile data set. Also, be aware that port numbers less than 1024 might require additional specifications. For more information, see z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference.

pwCryptCompat {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

Specifies whether to use an EBCDIC version or a UTF-8 version of the crypt() algorithm to hash passwords when pwEncryption crypt is contained in this section of the configuration file. If on, the EBCDIC version of the crypt() algorithm is used. This is what the z/OS Integrated Security Services LDAP server used. If off, the UTF-8 version is used. Note ASCII is a subset of UTF-8. When sharing LDAP directory data between z/OS and an ASCII-based platform, specify pwCryptCompat off to ensure that the hashed value is the same on both platforms.

Default = on

pwEncryption {none | crypt | MD5 | SHA | SSHA | DES:keylabel | AES:keylabel}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

Specifies what encryption or hashing method to use when storing the userPassword and ibm-slapdAdminPw attribute values in the backend of the directory.

none
Specifies no encryption. The userPassword and ibm-slapdAdminPw attribute values are stored in clear text format. The stored values are prefixed with the tag {none}. The original value, without the tag, is returned for a search request.
crypt
Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the crypt() algorithm before they are stored in the directory. The stored values are prefixed with the tag {crypt}. The versions of the crypt() algorithm are: an EBCDIC-based version and a UTF-8-based version. See the pwCryptCompat option and the following notes for information about selecting which version to use. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.
MD5
Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the MD5 hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {MD5}. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.
SHA
Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the SHA hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {SHA}. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.
SSHA
Specifies that userpassword and ibm-slapdAdminPw attribute values are hashed by the Salted SHA (SSHA) hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {SSHA}. The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed and salt values are returned for a search request.
SHA224, SHA256, SHA384, SHA512
Specifies that userpassword and ibm-slapdAdminPw attribute values are hashed by the specified SHA-2 hashing algorithm before they are stored in the directory. The stored values are prefixed with the specified tag (for example, {SHA224}). The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed value are returned for a search request.
SSHA224, SSHA256, SSHA384, SSHA512
Specifies that userpassword and ibm-slapdAdminPw attribute values are hashed by the specified Salted SHA-2 hashing algorithm before they are stored in the directory. The stored values are prefixed with the specified tag (for example, {SSHA224}). The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed and salt values are returned for a search request.
DES:keylabel
Specifies that userpassword and ibm-slapdAdminPw attribute values are encrypted by the DES algorithm before they are stored in the directory. The stored values are prefixed with the tag '{DES:keylabel}'. The original password value, without the tag, is returned for a search request. The key label must refer to either a valid data-encrypting key that is generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
AES:keylabel
Specifies that userPassword and ibm-slapdAdminPw attribute values are encrypted by the AES algorithm using the specified key label before they are stored in the directory. The stored values are prefixed with the tag {AES:keylabel}. The original password value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key that is generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
Note:
  1. When a password is stored in a TDBM, LDBM, or CDBM backend, it is prefixed with the appropriate encryption tag so that when a clear text password is sent on an LDAP API simple bind it can be encrypted or hashed in that same method for password verification.
  2. The crypt algorithm, which is implemented across many platforms, accepts only the first 8 characters of a password. As a result, any password that is supplied on a bind or compare operation that matches the first 8 characters of a userPassword attribute value that is hashed with the crypt algorithm in the directory matches.
  3. When the pwCryptCompat option is set to on, the values hashed using the crypt algorithm are not portable to other X/Open-conformant systems if the userpassword and ibm-slapdAdminPw attribute values are unloaded using the ds2ldif utility with the -t command-line parameter and loaded by another platform's load utility. If the pwCryptCompat option is set to off, the values hashed using the crypt algorithm are portable to other X/Open-conformant systems if the userpassword and ibm-slapdAdminPw attribute values are unloaded using the ds2ldif utility with the -t command-line parameter. The output LDIF file from ds2ldif can then be loaded using another platform's load utility.
  4. If a tagged encrypted or hashed userpassword and ibm-slapdAdminPw attribute values is included in an add or modify operation, the attribute value is added as it is with no additional encryption or hashing performed on the value even if the pwEncryption configuration option is set to a different type of encryption or hashing.

Default = none

pwSearchOutput {binary | base64}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the format of MD5 and SHA hashed userpassword and ibm-slapdAdminPw attribute values when retrieved on a search operation. This option does not affect the retrieval of Salted SHA (SSHA), SHA-2, or Salted SHA-2 hashed userpassword and ibm-slapdAdminPw attribute values on a search operation.

If set to binary and userpassword or ibm-slapdAdminPw attribute value is hashed in MD5 or SHA, the LDAP server returns the encryption tag (either {MD5} or {SHA}) in UTF-8 followed by the binary hash.

If set to base64 and userpassword or ibm-slapdAdminPw attribute value is hashed in MD5 or SHA, the LDAP server returns the encryption tag (either {MD5} or {SHA}) in UTF-8 followed by the base64-encoded binary hash.

For an example of using this option, see One-way hashing formats.

Default = binary

readOnly {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X X X X  
Specifies the ability to modify the database. The LDAP server BACKEND operator modify command can be used to change the backend database to read/write or read-only mode while the LDAP server is running. Any attempt to use the LDAP server to modify the database fails if readOnly is turned on.
Note:
  1. For GDBM, change log entries are not created and are not trimmed (deleted) by the LDAP server when readOnly is on.
  2. When running in multi-server mode, the readOnly configuration option is the same for all LDAP servers in the cross-system group because any LDAP server can potentially handle update requests.
  3. For SDBM, readonly on does not prevent changing a RACF password during a bind operation, using the currentvalue/newvalue format. However, it does prevent changing the password by using a modify operation of the racfpassword attribute.
  4. When LDBM, TDBM, or CDBM is using native authentication, the RACF password can be changed during bind even though readonly on is specified. The RACF password cannot be changed by using the LDBM, TDBM, or CDBM native authentication modify of the userpassword attribute.
  5. If authenticating or comparing an LDBM, TDBM, or CDBM entry that is subject to password policy in the LDAP server, readonly on does not prevent the password policy operational attributes from being updated in the entry.

Default = off

referral ldap_URL
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the referral to pass back when the target of a client request is not included in any suffix within the LDAP server. It is also known as the default referral. The referral option can appear multiple times and lists equivalent servers. There is no required format for the value, however, the z/OS LDAP client can only follow a referral value if it is in LDAP URL format. See listen ldap_URL for a description of LDAP URL format.

A default referral is not returned to the client if the client request includes the manageDsaIT control. See manageDsaIT for more information about this control.

In the following example, myldap.server.com is the host name and 3389 is the port number of the LDAP directory URL:
referral ldap://myldap.server.com:3389
In the following example, the IPv6 address 5f1b:df00:ce3e:e200:20:800:2078:e3e3 is the IP address and 389 is the port number of the LDAP URL:
referral ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
schemaPath name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the name of the file directory containing the LDAP schema database. A fully qualified directory path must be specified. When multi-server mode is active, the same schema path must be specified for each LDAP server within the cross-system group. The schema database file is automatically created during LDAP server initialization if it does not exist. The LDAP server must have write access to the schema directory. This configuration option also determines the directory that is used by CDBM to store its data if the CDBM backend is configured and the databaseDirectory configuration option is not specified in the CDBM backend configuration section.

Default = /var/ldap/schema

schemaReplaceByValue {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Determines the behavior of modify operations with replace values of the schema entry. When schemaReplaceByValue off is specified, a modify operation with replace values for an attribute in the schema entry behaves like a typical modify operation: all the values currently in the attribute are replaced by the values that are specified in the modify operation. When schemaReplaceByValue on is specified, individual values in an attribute in the schema entry can be replaced without removing all the other values currently in the attribute. Except in several specific cases, the values of the attribute that are in the initial LDAP server schema cannot be changed or removed. See Updating the schema for more information about modifying the schema.

The schemaReplaceByValue configuration option can be overridden on a specific modify operation by including the schemaReplaceByValueControl control in the modify request.

Default = on

secretEncryption {none | DES:keylabel | AES:keylabel}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  

Specifies the encryption method to use when storing the secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute values in this backend. Applications might use the secretKey attribute type to store sensitive data that must be encrypted in the directory and to retrieve the data in clear text format. This encryption method is used to protect the replicaCredentials attribute values in this backend when basic replication is enabled. This encryption method also protects the ibm-replicaKeyPwd and ibm-slapdMasterPw attribute values in this backend when advanced replication is enabled.

none
Specifies no encryption. The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute values ares stored in clear text format. The stored value is prefixed with the tag {none}. This is the default if the secretEncryption option is not specified. The attribute value without the tag is returned for a search request.
DES:keylabel
The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute values are encrypted by the DES algorithm before it is stored in the directory. The stored value is prefixed with the tag {DES:keylabel}. The original value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key that is generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set that is referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
AES:keylabel
The The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute values are encrypted by the AES algorithm before it is stored in the directory. The stored value is prefixed with the tag {AES:keylabel}. The original value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key that is generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.

Default = none

securePort num-port
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Note: The securePort option has been deprecated by the listen option. See listen ldap_URL for information about the listen option.

Specifies the TCP/IP port that is used by the LDAP server for SSL communications. The value must be in the range of 1 to 65535.

Default = 636

If the serverSysplexGroup option is present in the configuration file, the secure port number that is specified for this server instance must be the same as the secure port number specified for all other members of the sysplex group for dynamic workload balancing to function properly.

The secure port number might be established in the configuration file, or it might be established using the -s command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

It is advisable to reserve the port number that is chosen here in your TCP/IP profile data set. Also, be aware that port numbers less than 1024 might require additional specifications. For more information, see z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference.

security {ssl | sslonly | none | nossl}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Note: The security option has been deprecated by the listen option. See listen ldap_URL for information about the listen option.

Specifies what type of communications is accepted by the LDAP server. The ssl setting indicates that the server listens on the secure port and the non-secure port. The sslonly setting means that the server listens only on the secure port. The none or nossl settings indicate that the server listens only on the non-secure port. The sslKeyRingFile option must also be specified when the ssl or sslonly settings are used.

Default = none

securityLabel {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Determines if the security label processing is activated with bound LDAP clients. When on, the security labels that are associated with the LDAP client and LDAP server are verified during the authentication process. Security labels are recorded in all LDAP audit records. When off, no security label processing is done.

Default = off

Use this option when configuring the LDAP server in a multilevel security environment. For more information about configuring a z/OS system for multilevel security and how to configure an LDAP server in that environment, see z/OS Planning for Multilevel Security and the Common Criteria.

sendV3stringsoverV2as {UTF-8 | ISO8859-1}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the output data format to use when sending UTF-8 information over the LDAP Version 2 protocol.

Default = UTF-8

See UTF-8 data over the LDAP Version 2 protocol for more detailed information about the use of this setting.

serverCompatLevel {3 | 4 | 5 | 6 | 7| 8}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the server compatibility level. This value can be used to limit the functions that are supported by the server so that the server can be compatible with older versions of LDAP servers when they are sharing directory data in a sysplex group. To produce consistent results, all the LDAP servers in the same sysplex group name must support the same functions. If fallback is required to a lower server compatibility level than is being used, it is necessary to remove all exploitation of function that is available at the current compatibility level but not at the lower level. The server might not start at the lower level until this is complete. If fallback is necessary with a server that is using the TDBM or Db2-based GDBM backend, see Fallback from a TDBM or Db2-based GDBM backend in z/OS IBM Tivoli Directory Server to an earlier z/OS IBM Tivoli Directory Server version for fallback procedures.

Notes:
  1. If there are Db2-based backends that are configured in the LDAP server, the serverCompatLevel value also sets the DB_VERSION value in the Db2 DIR_MISC table for the backend. The DB_VERSION value is queried at LDAP server initialization to verify that the Db2-based backend is running on a supported level for the z/OS release. Therefore, it is especially important to set this value appropriately when running in multi-server mode and sharing Db2-based backends to the earliest z/OS LDAP server release that is to be shared.
  2. Updating the serverCompatLevel configuration option without a server outage is supported for z/OS Version 2 Release 2 and later. For more information about the transition server, see Updating LDAP configurations settings in a sysplex without server outage.
  3. When the server is started as a transition server (started in transition mode), the serverCompatLevel of the sysplex group owner is used. Once transition completes, the setting in the configuration file takes effect.
Use these serverCompatLevel values.
  • 3 limits the sharing of data in a sysplex to TDBM backends, Db2-based GDBM backends, and schema. Basic replication is supported from (but not into) the sysplex. Dynamic and nested groups are supported, as is schema replace by value. Specify this value when a z/OS Integrated Security Services (ISS) LDAP server is running in the sysplex.

    Level 3 is deprecated from z/OS Version 2 Release 2.

  • 4 enables cross-system coupling facility (XCF) messaging support for TDBM and Db2-based GDBM backends in the sysplex group and supports basic replication from and into the sysplex. When the schema, LDBM, and file-based GDBM backends are shared in a sysplex, XCF messaging is used to communicate between the LDAP servers in the same sysplex group no matter the serverCompatLevel setting.

    Specify this value when the sysplex group contains a z/OS IBM Tivoli® Directory Server server running on z/OS V1R10 or earlier and there are no ISS LDAP servers in the sysplex.

  • 5 enables advanced replication and allows the CDBM backend to be configured. Schema and all backends can be shared in the sysplex. Specify this value when the sysplex group only contains z/OS IBM Tivoli Directory Server servers running on z/OS V1R11 or later.
  • 6 enables ACL filters, password policy, Salted SHA (SSHA) password hashing, and usage of additional schema syntaxes and matching rules. Specify this value when the sysplex group only contains z/OS IBM Tivoli Directory Server servers running on z/OS V1R12 or later.
  • 7 enables usage of group search limits, administrative roles, and hashing userpassword attribute values using the SHA-2 and Salted SHA-2 algorithms. It also supports hashing and encrypting ibm-slapdAdminPw attribute values using the same algorithms as for userpassword attribute values. Specify this value when the sysplex group only contains z/OS IBM Tivoli Directory Server servers running on z/OS V1R13 or later.
  • 8 enables usage of the read-only replica password policy replication support. Specify this value when the sysplex group only contains z/OS IBM Tivoli Directory Server servers running on z/OS Version 2 Release 2 or later. See Replicating password policy operational attributes for more information.

Default = 8 if not running in a sysplex (the serverSysplexGroup configuration option is not specified).

Default = 4 if running in a sysplex (the serverSysplexGroup configuration option is specified)

serverEtherAddr mac_address
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the Media Access Control (MAC) address that is used for entry UUID generation. This value must be unique for all LDAP servers in your enterprise. You must specify the MAC address if multiple LDAP servers run on a (hardware) system. This applies if your LDAP servers are on different LPARs and also if two LDAP servers are on the same LPAR. You do not need to specify this field if this is the only LDAP server that runs on this (hardware) system.

The MAC address consists of 12 hexadecimal digits. The suggested form of the mac_address is:

4xmmmmssssss

Where:

x
Is a one-character LDAP directory number. If more than one LDAP server is operating on a processor, specify a different x value for each server. If more than 16 LDAP servers are wanted, then use a serial number and model number from a processor that is not running an LDAP server. If another processor is not available, then set the x, mmmm, and ssssss values from the MAC address on an old Ethernet card that is no longer being used or not used to run an LDAP server.
mmmm
Is the four-digit model number of the processor.
ssssss
Is the six-digit serial number of the processor.

It is not necessary to follow this convention if you specify the serverEtherAddr option for all LDAP servers in your enterprise. In this case, you can specify any combination of 12 hexadecimal digits if each LDAP server has a unique value.

Following is an example:

serverEtherAddr 4A123401234D

Default = The LDAP server uses the hardware model and serial numbers to generate a MAC address.

serverKrbPrinc kerberosIdentity
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the Kerberos principal name that is assigned to the LDAP server that was created in Defining the Kerberos identity. This value becomes the server name in Kerberos service tickets. The principal name must consist of characters that can be represented in the ISO8859-1 code page. The format for kerberosIdentity is:
ldap_prefix/primary-dns-name@krbRealmName
Where
ldap_prefix
Is ldap or LDAP. Use ldap to assure interoperability with all LDAP clients. LDAP is accepted, but this value is not usable with many non-z/OS LDAP clients.
primary-dns-name
Is the canonical host name returned by the DNS name service.
krbRealmName
Is the Kerberos defined realm that the LDAP server operates. For more information about setting up a Kerberos realm on z/OS, see z/OS Integrated Security Services Network Authentication Service Administration.
Following are examples:
serverKrbPrinc LDAP/myhost.realm.com@MYREALM.COM
serverKrbPrinc ldap/myhost.myrealm.com@MYREALM.COM

Default = ldap/primary-dns-hostname@default-krbRealmName

serverName string
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X     X    

Specifies the name of the Db2 server location that manages the tables for the LDAP server. This value must match the name of one of the DATA SOURCE stanzas that must be specified in the ODBC initialization data set that is specified by the dsnaoini option in the configuration file. For a description of the contents of the DSNAOINI ODBC initialization data set, see Db2 for z/OS in IBM Documentation. Using the example DSNAOINI file in Figure 1 the value of string for serverName is LOC1.

If the serverName configuration option is specified for a backend, the option must also be specified, with the same value, for all the TDBM and Db2-based GDBM backends in the configuration file.

Default = The default data source is used. This is the Db2 subsystem that is specified by the MVSDEFAULTSSID record in the DSNAOINI file.

serverSysplexGroup name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies that this LDAP server is participating in data sharing in a sysplex and indicates the name of the cross-system coupling facility (XCF) group. All LDAP servers in the sysplex that specify the same group name share the LDAP server schema and the directories of backends that specify the multiserver on option. The group name is 1-8 characters and consists of letters (A-Z), numbers (0-9), and special characters (@, #, and $). The special characters must be in the IBM-1047 code page.

sizeLimit num-limit
Global TDBM LDBM SDBM GDBM CDBM EXOP
X X X X X X  

Specifies the maximum number of entries to return from a search operation. The maximum number can be modified on a specific search request.

Range = 0 - 2147483647

0 = no limit

Default = 500

This option applies to all backends, except EXOP, unless specifically overridden in a backend definition or in group search limits. Specifying this before a database line in the configuration file sets the option for all backends, except EXOP. Specifying it after a database line sets the option just for the backend that is defined by the database line. Specifying a size limit using group search limits sets the limit only for the members of that group. See Managing group search limits for more information about group search limits.

A limit on the number of entries returned can also be specified by the client on a search request. Note that the following behavior is used when determining the size limit for a search request.
  • If the client has not bound as an administrator:
    • If a group search size limit exists for the requester, then the size that is used to limit the search is the smaller of the size limit that is passed by the client and the group search size limit. If the client does not specify a size limit on the search, then the group search size limit is used.
    • If a group search size limit does not exist for the requester, then the size that is used to limit the search is the smaller of the size limit that is passed by the client and the size limit that is determined by the server from the sizeLimit configuration options in the configuration file. If the client does not specify a size limit, then the server size limit is used.
  • If the client has bound as an administrator, the size limit is the value that is passed by the client. If the client does not specify a limit, then the number of entries that are returned is unlimited. The size limits from the configuration file and from group search limits are ignored when the client has bound as an administrator.
When accessing the z/OS LDAP server support for RACF (the SDBM backend), the number of entries that are returned might be further restricted by limits that are imposed by RACF. See Accessing RACF information for more information:
  • The limit is the smaller of the limit that is passed by the client and the limit that is read by the server from the sizeLimit option in the configuration file (which defaults to 500). If the client does not specify a limit, then the server limit is used. It does not matter how the client has bound.
  • The number of entries that are returned might be further restricted by limits that are imposed by RACF. See Accessing RACF information for more information.

There are additional considerations for size limit when performing a subtree search from the root DSE (a NULL-based search). See Root DSE search with subtree scope (Null-based subtree search) for more information.

srvStartUpError {terminate | ignore}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies whether the LDAP server stops if a backend or plug-in fails to initialize after the configuration file is read. If terminate, the server ends when any backend or plug-in fails to initialize. If ignore, the LDAP server continues processing if the schema successfully initializes. The option also applies to failures when initializing the LDAP PC callable support interface if that has been configured and initializing WLM support. Note a configuration error that occurs before backend or plug-in initialization begins always causes the server to end.

Note: When the server is started as a transition server (started in transition mode), this configuration option is ignored and the server behaves as if srvStartupError is set to terminate.

Default = terminate

sslAuth {serverAuth | serverClientAuth}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the SSL/TLS authentication method. The serverAuth method allows the LDAP client to validate the LDAP server on the initial contact between the client and the server.

The serverClientAuth method allows the LDAP client to validate the LDAP server. In addition, the LDAP server validates the LDAP client if the client sends its digital certificate on the initial contact between the client and the server.

Note: In order for clients to perform SASL EXTERNAL binds to the LDAP server, it is necessary to configure the server with sslAuth serverClientAuth.

See Setting up for SSL/TLS for more SSL/TLS information.

Default = serverAuth

sslCertificate {certificateLabel | none}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the label of the certificate that is used for LDAP server authentication. If a key database file is used, the certificate is created and managed using the gskkyman utility. If using a RACF key ring, the certificate is created and managed using the RACDCERT command. If using a PKCS #11 token, the certificate can be created and managed by using either the gskkyman utility or the RACDCERT command.

Default = none

If the value is none (by default or by specification), the default certificate, marked in the key database file, the RACF key ring, or the PKCS #11 token, is used for server authentication.

sslCipherSpecs {string | GSK_V3_CIPHER_SPECS_EXPANDED | ANY}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the SSL Version 3.0 and TLS Version 1.0 cipher specifications that the LDAP server accepts from clients. Use of this option to specify the specific cipher suites is limited, and provided only for compatibility with earlier versions. It supports only a portion of the cipher suites available in z/OS System SSL, contains no 4-character cipher suites, and provides no order of preference. The preferred approach is to set the option to GSK_V3_CIPHER_SPECS_EXPANDED and then set the environment variable GSK_V3_CIPHER_SPECS_EXPANDED to the list of 4-character cipher specifications you want, in order of preference.

If the cipher specifications you want are included in Table 1 and if the order of preference matches the default order that is provided by z/OS System SSL, then the sslCipherSpecs option may be used with any of the values that are described.
In this case, the cipher specification is a blank delimited string that represents an ORed bit-mask indicating the SSL/TLS cipher specifications that are accepted from clients. Clients that support any of the specified cipher specifications are able to establish an SSL/TLS connection with the server. Table 1 lists the CipherSpec mask values and the related decimal, hexadecimal, and keyword values. See z/OS Cryptographic Services System SSL Programming for a description of supported cipher specifications.
The cipher specification might be specified as follows:
  • A decimal value (for example, 256)
  • A hexadecimal value (for example, x100)
  • A keyword (for example, TRIPLE_DES_SHA_US)
  • A construct of those values using plus and minus signs to indicate inclusion or exclusion of a value. For example,
    • 256+512 is the same as specifying 768, or x100+x200, or TRIPLE_DES_SHA_US+DES_SHA_EXPORT
    • 52992 is the same as specifying ALL-RC2_MD5_EXPORT-RC4_MD5_EXPORT

Depending upon the level of System SSL support installed, some ciphers might not be supported. System SSL ignores the unsupported ciphers. See the System SSL documentation to determine the specific ciphers that your installation supports.

See Setting up for SSL/TLS for more SSL/TLS information.

Default = GSK_V3_CIPHER_SPECS_EXPANDED

sslFipsState {Off | Level1 | Level2 | Level3}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

The sslFipsState option specifies the FIPS mode that is enabled on the LDAP server. When FIPS mode is turned on, the system is more restrictive regarding cryptographic algorithms, protocols, and key sizes that are supported. The mode options are OFF, LEVEL1, LEVEL2, and LEVEL3 as defined by z/OS System SSL.

When executing in FIPS mode, the usage of only TLS V1.0, TLS V1.1, and TLS V1.2 protocols are allowed. SSL V2 and SSL V3 protocols are not supported and are ignored, if specified.

For more information about using FIPS mode in System SSL, see z/OS Cryptographic Services System SSL Programming.

sslKeyRingFile name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the path and file name of the SSL/TLS key database file, the name of the RACF key ring, or the name of the PKCS #11 token to be used by the LDAP server. SSL/TLS connections are not available if this option is not specified.

When a key database file is used, the file path and name that is specified here must match the path and name of the key database file that was created using the gskkyman utility. For more information about the gskkyman utility, see gskkyman overview in z/OS Cryptographic Services System SSL Programming. Also, see Setting up for SSL/TLS for more SSL/TLS information.

The LDAP server supports the use of a RACF key ring. Specify the RACF key ring name for the sslKeyRingFile and comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options to use this support.

The LDAP server also supports the use of a PKCS #11 token. Specify the PKCS #11 token on the sslKeyRingFile configuration option in the following format (where name is the name of the PKCS #11 token): *TOKEN*/name. Ensure that the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options are commented out to use this support.

See Creating and using key databases, key rings, or PKCS #11 tokens for more information.

sslKeyRingFilePW string
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the password protecting access to the SSL/TLS key database file. The password string must match the password to the key database file that was created with the gskkyman utility. For more information about the gskkyman utility, see gskkyman overview in z/OS Cryptographic Services System SSL Programming. Also, see Setting up for SSL/TLS for more SSL/TLS information.

Note: Use of the sslKeyRingFilePW configuration option is discouraged. As an alternative, use either a RACF key ring, a PKCS #11 token, or specify the sslKeyRingPWStashFile configuration option.

Comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options if you are using a RACF key ring or PKCS #11 token.

sslKeyRingPWStashFile name
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies a file system file name where the password for the servers key database file is stashed. Use the full path name of the stash file in the file system for name.

If this option is present, then the password from this stash file overrides the sslKeyRingFilePW configuration option, if present. Use the gskkyman utility with the -s option to create a key database password stash file. See Setting up for SSL/TLS for more SSL/TLS information.

Comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options if you are using a RACF key ring or PKCS #11 token.

sslMapCertificate {off | check | add | replace} {fail | ignore}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the server maps a certificate used in a SASL EXTERNAL bind to the RACF user that is associated with the certificate.

When check, add, or replace is specified for the first value, RACF is searched for the user ID associated with the certificate used during a SASL certificate bind. The sslKeyRingFile configuration option must be specified to indicate which key database, RACF key ring, or PKCS #11 token to use to do this. If there is no RACF user ID associated with the certificate and fail is specified for the second value, then the SASL EXTERNAL bind fails. If there is no associated RACF user ID and ignore is specified for the second value, the bind continues without mapping the certificate to a RACF user.

If an associated RACF user ID is found and add or replace is specified for the first value, a distinguished name (DN) is created based on the user ID and the SDBM suffix. For add, this mapped DN is added to the list of DNs associated with the bind DN that was created from the subject's name in the certificate. For replace, this mapped DN replaces the bind DN that was created from the subject's name in the certificate. The mapped DN is used when gathering the groups in which the bound user exists and when checking authorization for LDAP operations, including SDBM operations. SDBM must be configured when add or replace is specified.

When off is specified for the first value, RACF is not searched for the user ID associated with the certificate and no certificate mapping is performed. In this case, it does not matter what the second value is (fail or ignore).

Default = off fail

suffix dn_suffix
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X X      

Denotes the distinguished name of the root of a subtree in the namespace that is managed by this backend within the LDAP server. This option might be specified more than once to indicate all the roots of the subtrees within this backend except for the SDBM backend. The SDBM backend must have only one suffix. Note a suffix cannot be specified for the GDBM, CDBM, and EXOP backends. When the GDBM backend is configured, the cn=changelog suffix is reserved. When the CDBM backend is configured, the cn=configuration and cn=ibmpolicies suffixes are reserved. The special suffix, cn=localhost, can be placed in any TDBM or LDBM backend and is exempt from replication when advanced replication is used.

Identical and overlapping suffixes cannot be specified in the LDAP server configuration file, even if the suffixes are within different backends. These suffixes create confusion and can result in unexpected results. An example of overlapping suffixes is:
suffix ou=Server Group, o=IBM 
suffix o=IBM

See Specifying a value for a distinguished name for information about specifying special characters and restrictions on attributes in the suffix.

Domain Component naming as specified in RFC 2247 is also supported in the LDAP server. For example, the domain name ibm.com could be specified as the following suffix in the configuration file:
suffix "dc=ibm,dc=com"
supportKrb5 {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies if the LDAP server participates in Kerberos GSS API Authentication. If it participates, then Kerberos GSS API binds are accepted and information is stored in the servers root DSE.

Default = off

tcpTerminate {terminate | recover}
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies whether the LDAP server ends when network interfaces are not active. The LDAP server periodically polls the network interfaces it is using to determine when they go down and come back up. If an interface fails but the LDAP server still has at least one active interface, the server continues processing and reestablishes a failed interface when it detects that it has become active. If all interfaces fail and tcpTerminate terminate is specified, the LDAP server ends. If tcpTerminate recover is specified, then the LDAP server remains active and attempts to reestablish network interfaces when it detects they have become active. All client operations targeted to the LDAP server fail until a network interface can be reconnected. The frequency of polling can be set using the LDAP_NETWORK_POLL environment variable. See Environment variables used by the LDAP server for more information.

The tcpTerminate option is also used to determine whether the LDAP server ends if SSL or Kerberos initialization fails during server initialization. If terminate is specified, the LDAP server ends. If recover is specified, the LDAP server continues initialization, but the failed interface (SSL or Kerberos) cannot be used until the error is fixed and the LDAP server is restarted.

Default = recover

Note:
When the server is started as a transition server (started in transition mode), this configuration option is ignored and the server ends if network interface inactive is detected before transition completes. Once transition completes, the setting in the configuration file takes effect. See Updating LDAP configurations settings in a sysplex without server outage.
timeLimit num-seconds
Global TDBM LDBM SDBM GDBM CDBM EXOP
X X X X X X  

Specifies the maximum number of seconds (in real time) the LDAP server spends answering a search request. This maximum number can be modified on a specific search request. If a request cannot be processed within this time, a result indicating an exceeded time limit is returned to the client. It can also be found in the activity log and any active debug trace.

Range = 0 - 2147483647

0 = no limit

Default = 3600

This option applies to all backends, except EXOP, unless specifically overridden in a backend definition or in group search limits. Specifying this before a database line in the configuration file sets the option for all backends, except EXOP. Specifying it after a database line sets the option just for the backend defined by the database line. Specifying a time limit using group search limits sets the limit only for the members of that group. See Managing group search limits for more information about group search limits.

A limit on the amount of time can also be specified by the client on a search request. The following behavior is used when determining the time limit for a search request.
  • If the client has not bound as an administrator:
    • If a group search time limit exists for the requester, then the time used to limit the search is the smaller of the time limit passed by the client and the group search time limit. If the client does not specify a time limit on the search, then the group search time limit is used.
    • If a group search time limit does not exist for the requester, then the time that is used to limit the search is the smaller of the time limit that is passed by the client and the time limit that is determined by the server from the timeLimit configuration options in the configuration file. If the client does not specify a time limit, then the server time limit is used.
  • If the client has bound as an administrator, the time limit is the value passed by the client. If the client does not specify a limit, then the amount of time is unlimited. The time limits from the configuration file and from group search limits are ignored when the client has bound as an administrator.
When accessing the z/OS LDAP server support for RACF (the SDBM backend):
  • The limit is the smaller of the limit passed by the client and the limit read by the server from the timeLimit option in the configuration file (which defaults to 3600). If the client does not specify a limit, then the server limit is used. It does not matter how the client has bound.
When the z/OS LDAP server with a DB2 backend is used:
  • DB2 has a global parameter IRLMRWT, which is specified in ZPARM, that is the DB2 equivalent to the timeLimit option. If the time that is specified in IRLMRWT is met, DB2 stops the search. The following message is written to the job log (REASON 00C9008E representing a timeout):
    
    DSNT408I SQLCODE = -911, ERROR:  THE CURRENT UNIT OF WORK HAS BEEN   
    ROLLED BACK DUE TO DEADLOCK OR TIMEOUT.  REASON 00C9008E ...
    The timeLimit option must be set to a lower value than IRLMRWT or it will be ignored by any backends that are using DB2.

There are additional considerations for time limit when performing a subtree search from the root DSE (a NULL-based search). See Root DSE search with subtree scope (Null-based subtree search) for more information.

unbufferedEntryLimit num-entries
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies the maximum number of returned search entries that are sent immediately over the network before the LDAP server begins buffering results for an individual request. By default, returned search entries are sent immediately over the network as they are found during backend processing.

When a search request returns a large result set containing many entries, server processing can be delayed. Network buffers can also be filled if the requesting client does not process the returned data fast enough. This can cause the LDAP server communication thread to wait while locks are held in the backend, especially for LDBM, CDBM, and file-based GDBM backends. Setting this option to a small number can help avoid lock contention, but may increase server storage and processing time.

The value must be between 0 and 2147483647. A value of 2147483647 indicates that no search results are buffered. A value of 0 indicates that all search results are buffered.

Default = 2147483647

useAdvancedReplication {on | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
          X  
Specifies if the LDAP server supports advanced replication. If advanced replication is active, then the masterServer, masterServerDN, masterServerPW, peerServer, peerServerDN, and peerServerPW configuration options cannot be specified in any LDBM, TDBM, or CDBM backends.
Note:
  • The LDAP server does not start when useAdvancedReplication on is specified and entries with an objectclass of replicaObject are present in a TDBM, LDBM, or CDBM backend. If entries with an objectclass of replicaObject are attempted to be added or modified in this configuration, the add or modify request is rejected.
  • The LDAP server does not start when useAdvancedReplication off is specified and entries with an objectclass of ibm-replicationAgreement, ibm-replicationContext, ibm-replicationGroup, or ibm-replicationSubEntry are present in a TDBM, LDBM, or CDBM backend. If entries with these objectclass values are attempted to be added or modified in this configuration, the add or modify request is rejected.

See Advanced replication for additional information about advanced replication.

The server compatibility level must be at least 5 when useAdvancedReplication on is specified. See the serverCompatLevel configuration option at serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about the server compatibility level.

Default = off

useNativeAuth {selected | all | off}
Global TDBM LDBM SDBM GDBM CDBM EXOP
  X X     X  
Enables native authentication in the backend. If the value is:
  • selected, only entries with the ibm-nativeId attribute that are within the native subtrees (see nativeAuthSubtree option at nativeAuthSubtree {all | dn}) use native authentication.
  • all, all entries within native subtrees use native authentication. These entries can contain the ibm-nativeId or uid attribute to specify the RACF ID.
  • off, no entries participate in native authentication.
Note: z/OS LDAP password policy does not apply to entries participating in native authentication.

Default = off

validateincomingV2strings {on | off }
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            

Specifies whether the incoming strings are validated. If set to on, this setting limits the format of incoming string data that is sent over the LDAP Version 2 protocol to the IA5 character set (X'00'-X'7F' or "7-bit ASCII"). With this setting, textual data that is received on operations outside of the IA5 character set causes the operations to fail with LDAP_PROTOCOL_ERROR.

Default = on

Note while supported, it is suggested not to run with this data filtering disabled.

wlmExcept name [IP_address] [dn]
Global TDBM LDBM SDBM GDBM CDBM EXOP
X            
Specifies the Workload Manager (WLM) transaction name that is used for client requests originating from an IP address or a bound user's distinguished name (DN). The wlmExcept configuration option can be specified multiple times to allow the routing of different LDAP client requests to the same or different WLM transaction names. The order of the wlmExcept configuration options in the LDAP server configuration file determines the order the LDAP server uses to match incoming client requests and route them to the WLM transaction name. During LDAP server initialization, a WLM enclave is created for each unique name. See Workload Manager (WLM) for more information about configuring the LDAP server to use WLM.
name
Specifies the WLM transaction name that is used for this enclave. The name must be 1-8 characters long and can consist of letters, numbers, and the special characters $, #, or @. The WLM transaction name must be configured in WLM. Multiple wlmExcept configuration options with the same name use the same enclave.
IP_address
Specifies the client's IPv4 or IPv6 address to be associated with this WLM enclave.
dn
Specifies the bind user's distinguished name to be associated with this WLM enclave. For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.
Note:
  1. If both the IP_address and dn values are not specified with the wlmExcept configuration option, a WLM enclave is created with the transaction value name. However, the enclave is not associated with any client requests until a WLMEXCEPT modify command is issued.
  2. If both IP_address and dn are specified, only incoming client requests originating from that IP_address and bound as the dn are routed to the WLM transaction name specified.

Default = GENERAL

By default, the WLM transaction name, GENERAL, is used by the LDAP server for client requests originating from IP addresses or bind distinguished names that are not specified on wlmExcept configuration options. The WLM transaction name GENERAL must be configured in WLM.

For more information about configuring WLM, see z/OS MVS Planning: Workload Management.

Deprecated options

The database option deprecates the use of the database type exop.

The listen option deprecates the security, port, and securePort options in the configuration file. If a listen option is specified in the configuration file with either security, port, or securePort, the listen option takes precedence over what was specified for the deprecated security, port, and securePort options. If using an earlier version of the configuration file that contains the security, port, or securePort options, the LDAP server is configured to listen on the port numbers that are specified for securePort, port, or both, depending upon the security setting. However, you might want the LDAP server to be configured using the listen option. See the description of the listen option at listen ldap_URL for more information.

Ignored options

The replKeyRingFile and replKeyRingPW options are no longer necessary or evaluated by the LDAP server. These options are removed from the configuration file. Use the sslKeyRingFile configuration option to specify the key database file, RACF key ring, or PKCS #11 token. The sslKeyRingPWStashFile configuration option is used to specify the password stash file for the key database file while the sslKeyRingFilePW configuration option is used to specify the password of the key database file.

The maxThreads and waitingThreads options are no longer necessary or evaluated by the LDAP server. These options are also removed from the configuration file. Use the commThreads option to set the number of threads initialized at server start-up for communicating with the clients. See the description of the commThreads option at commThreads num-threads for more information.

The databasename and verifySchema options are no longer necessary or evaluated by the LDAP server. These options are removed from the configuration file.

The sysplexGroupName and sysplexServerName options are no longer necessary or evaluated by the LDAP server. These options are removed from the configuration file. Use the serverSysplexGroup option to identify the cross-system coupling facility (XCF) group.