LDAP event notification is used by IBM® Tivoli® Directory
Integrator, in conjunction with password and password phrase envelopes
(see Password and password phrase enveloping), to enable a heterogeneous password
synchronization solution.
You can customize RACF® to
create LDAP change log entries in response to changes in user, group, and general resource profiles. This provides an open, remote
method of change notification. An LDAP client can read the LDAP change
log, detect updates to RACF users, groups, group membership, and general resources,
and then retrieve RACF entries
using only LDAP interfaces. To use this function, the LDAP server
must be configured to support the SDBM backend. For details, see "Change logging" in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
Event notifications, through the creation of LDAP change log entries,
are controlled by RACF resources
in the RACFEVNT class. If RACFEVNT is active, and the appropriate
resource is protected by either a discrete or generic profile, LDAP
change log entries are created for the corresponding event types on
a system-wide basis.
Table 1 shows the name of the RACF resource in the RACFEVNT class
used to control notifications for each type of supported change event.
Table 1. LDAP event notification
of RACF profile changesResource in the RACFEVNT class |
Change event type |
---|
NOTIFY.LDAP.USER |
Password and password phrase changes, regardless
of the command or method used |
Updates to a user's revoke status (that is,
changes to the FLAG4 field in the USER profile), regardless of the
command or method used |
Users added using the ADDUSER command |
User modifications made using the ALTUSER or
PASSWORD command |
Users deleted using the DELUSER command |
NOTIFY.LDAP.GROUP |
Groups added using the ADDGROUP command |
Group modifications made using ALTGROUP command |
Groups deleted using the DELGROUP command |
NOTIFY.LDAP.CONNECT |
Group membership changes made using any of the
following commands:- ALTUSER command, only when issued with GROUP, UACC, or AUTHORITY
operand
- CONNECT command
- REMOVE command
|
Users established in their default groups using
the ADDUSER command |
NOTIFY.LDAP.class-name |
General resources added using the RDEFINE command |
General resource modifications made using the
RALTER command |
Changes made using the PERMIT command to the
standard or conditional access list of a general resource |
General resource deletions made using the RDELETE
command |
Notes®: - The RACF panels and the R_admin callable service (IRRSEQ00) internally issue TSO
commands, so these interfaces are supported.
- The RACF panels can generate
multiple commands while processing a user profile, and this might
result in multiple change log entries.
- An application that updates supported profiles, using
methods other than TSO commands, can create its own change log entry
using the R_proxyserv callable service (IRRSPY00),
documented in z/OS Security Server RACF Callable Services.
|
Restrictions: - Other RACF commands that
update user and general resource profiles, such as RACDCERT, RACLINK,
and RACMAP are not supported.
- Commands issued from the RACF parameter library during RACF subsystem initialization are not logged because logging occurs
only when the subsystem address space is fully functional. By contrast,
parameter library commands issued as a result of a SET INCLUDE command are logged because the subsystem address space is initialized
when it processes the SET command.
|