z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


LDAP change log entries

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The LDAP change log entry contains information such as the change initiator, the affected user, group, or general resource, the type of update (add, modify, or delete), and the time and date of the change. It does not contain a list of the RACF® profile fields that were changed nor does it contain the new values for these fields.

In the case of a change to the standard or conditional access list of a general resource, the changes attribute of the change log entry indicates that a general resource profile was added, modified or deleted. The changes attribute does not identify the user or group permission that was added, modified, or removed.

In the case of a password or password phrase change, the changes attribute of the change log entry identifies the password or password phrase field as the changed field. The changes attribute does not contain the actual password or password phrase value but contains one of the following values:
*ComeAndGetIt*
This indicates there is an encrypted password envelope or password phrase envelope that can be subsequently retrieved. (See Password and password phrase enveloping for details about envelopes.)
*NoEnvelope*
This indicates there is no password envelope or password phrase envelope.
When other fields in a user's profile are changed in the same request that updates the values of the password and password phrase, three LDAP change log entries are created: one entry to log the password update, one to log the password phrase update, and another entry to log the information about the other changed fields. Removal of a user's password phrase does not create a separate log entry. (See Example 2.)
Example 1: An administrator issues the following command for a revoked user who is eligible for both password and password phrase enveloping.
ALTUSER userid PASSWORD(newpass) PHRASE(newphrase) RESUME OWNER(group-name)
If successful, this command causes three entries to be created to log the user profile changes.
  • One entry identifies the password field as changed and contains the *ComeAndGetIt* value.
  • A second entry identifies the password phrase field as changed and contains the *ComeAndGetIt* value.
  • A third entry identifies changes in the user's revoke status and owning group.
Example 2: An administrator issues the following command to update a user's password, remove the password phrase, and change the user's name.
ALTUSER userid PASSWORD(newpass) NOPHRASE NAME(new-user-name)
If successful, this command causes two entries to be created to log the user profile changes.
  • One entry identifies the password field as changed and contains the *ComeAndGetIt* value.
  • A second entry contains information about the change in the user's name and removal of the password phrase.
Example 3: An administrator issues the following command to remove a user's password phrase and change the user's name.
ALTUSER userid NOPHRASE NAME(new-user-name)
If successful, this command causes one entry to be created to log the user profile changes. This entry contains information about the change in the user's name and removal of the password phrase.

For more information about the LDAP change log, see "Change logging" in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

Parent topic: LDAP event notification

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014