z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


LDAP event notification

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

LDAP event notification is used by IBM® Tivoli® Directory Integrator, in conjunction with password and password phrase envelopes (see Password and password phrase enveloping), to enable a heterogeneous password synchronization solution.

You can customize RACF® to create LDAP change log entries in response to changes in user, group, and general resource profiles. This provides an open, remote method of change notification. An LDAP client can read the LDAP change log, detect updates to RACF users, groups, group membership, and general resources, and then retrieve RACF entries using only LDAP interfaces. To use this function, the LDAP server must be configured to support the SDBM backend. For details, see "Change logging" in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

Event notifications, through the creation of LDAP change log entries, are controlled by RACF resources in the RACFEVNT class. If RACFEVNT is active, and the appropriate resource is protected by either a discrete or generic profile, LDAP change log entries are created for the corresponding event types on a system-wide basis.

Table 1 shows the name of the RACF resource in the RACFEVNT class used to control notifications for each type of supported change event.
Table 1. LDAP event notification of RACF profile changes
Resource in the RACFEVNT class Change event type
NOTIFY.LDAP.USER Password and password phrase changes, regardless of the command or method used
Updates to a user's revoke status (that is, changes to the FLAG4 field in the USER profile), regardless of the command or method used
Users added using the ADDUSER command
User modifications made using the ALTUSER or PASSWORD command
Users deleted using the DELUSER command
NOTIFY.LDAP.GROUP Groups added using the ADDGROUP command
Group modifications made using ALTGROUP command
Groups deleted using the DELGROUP command
NOTIFY.LDAP.CONNECT Group membership changes made using any of the following commands:
  • ALTUSER command, only when issued with GROUP, UACC, or AUTHORITY operand
  • CONNECT command
  • REMOVE command
Users established in their default groups using the ADDUSER command
NOTIFY.LDAP.class-name General resources added using the RDEFINE command
General resource modifications made using the RALTER command
Changes made using the PERMIT command to the standard or conditional access list of a general resource
General resource deletions made using the RDELETE command
Notes®:
  • The RACF panels and the R_admin callable service (IRRSEQ00) internally issue TSO commands, so these interfaces are supported.
  • The RACF panels can generate multiple commands while processing a user profile, and this might result in multiple change log entries.
  • An application that updates supported profiles, using methods other than TSO commands, can create its own change log entry using the R_proxyserv callable service (IRRSPY00), documented in z/OS Security Server RACF Callable Services.
Restrictions:
  • Other RACF commands that update user and general resource profiles, such as RACDCERT, RACLINK, and RACMAP are not supported.
  • Commands issued from the RACF parameter library during RACF subsystem initialization are not logged because logging occurs only when the subsystem address space is fully functional. By contrast, parameter library commands issued as a result of a SET INCLUDE command are logged because the subsystem address space is initialized when it processes the SET command.
Parent topic: RACF and the z/OS LDAP server

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014