Step 4. Set Up the User ID and Security for the LDAP Server

It is recommended that a separate user ID be established to run the LDAP server. Any user ID can be used to run the LDAP server. The examples in this topic use a user ID of LDAPSRV in the commands provided.

The user ID that runs the LDAP server must have the following attributes:
  • If you have an LDBM, GDBM, or CDBM backend and the databaseDirectory option is specified in the LDAP server configuration file, the user ID must be able to create the specified directory if it does not already exist. If the directory exists, then the user ID must have read/write access to it.
  • If the schemaPath option is specified in the LDAP server configuration file, the user ID must be able to create the specified directory if it does not already exist. If the directory exists, then the user ID must have read/write access to it.
  • If the schemaPath configuration option is not specified or you have an LDBM, GDBM, or CDBM backend and have not specified the databaseDirectory configuration option, then the user ID must be able to create directories under /var or the /var/ldap directory must already exist. If the /var/ldap directory exists, then the user ID must have read/write access to the directory.
  • If the logfile configuration option is specified in the LDAP server configuration file and it specifies a file in the BFS, the directory must already exist and the user ID must have read and write access to the directory.
  • If the logfileRolloverDirectory configuration option is specified in the LDAP server configuration file and it specifies a file in the BFS, the directory must already exist and the user ID must have read and write access to the directory.
  • If you have configured an SDBM backend, want to use native authentication, or want to use LDAP server auditing, the user ID must have authority to issue RACROUTE requests. Note that the user ID must be given UPDATE access authority to the ICHCONN facility class for proper server operation. For information on authorizing virtual machines to issue RACROUTE requests, see z/VM: Security Server RACROUTE Macro Reference.
  • If you have configured an SDBM backend and want to be able to log changes to a RACF® user, group, or connection, add the following statement to the CP directory entry for the user ID: 
    IUCV *RPI PRIORITY MSGLIMIT 255
    Note: To perform the RACF configuration required to support creation of LDAP change log entries, see How to set up and use the LDAP Server for logging changes in the z/VM: TCP/IP LDAP Administration Guide and Activating LDAP Change Notification in the z/VM: RACF Security Server Security Administrator's Guide.
  • The user ID requires assignment of a POSIX UID and GID. The IBM®-provided defaults assign UID 5 and GID 0 (system). It is recommended that UID 0 not be used because superuser privileges are not required.
  • If you are going to set up more than one LDAP server on the same system, a separate user ID should be used for each one.