- aclSourceCacheSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies the maximum number of entries to store in the
ACL Source cache. This cache holds information regarding ACL definitions
within the database. Retrieval of information from this cache avoids
database read operations when resolving access permissions.
The
maximum size of this value is 2147483647. A value of 0 indicates
that the cache is not used.
Default = 100
- adminDN dn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
The distinguished name (DN) of the root administrator
for this LDAP server. Typically, this DN has unrestricted access to
all entries in the directory except for entries in backends that are
read-only replicas. When the LDAP server is in maintenance mode, the
LDAP root administrator has unrestricted access to all entries in
the directory. Select a name that is descriptive of the person that
knows and administers the LDAP server. The format of the name must
be in DN format that is described in Data model.
You might want the DN to have the same suffix as one of the suffix option
values in the configuration file.
Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up this root administrator
DN. Additional root administrators can be defined using the administrative
group and assigning the root administrator role. See Administrative group and roles for more information.
For information
about specifying a value for a distinguished name for this option,
see Specifying a value for a distinguished name.
- adminPW string
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
The password of the root administrator
(adminDN) for this server.
Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your administrator
password.
Note: Use of the adminPW configuration
option is discouraged in production environments. Instead, specify
your adminDN as the distinguished name of an existing entry
in the directory information tree. This eliminates passwords from
the configuration file.
- allowAnonymousBinds {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
whether an LDAP client can perform unauthenticated operations on the
LDAP server. If off, clients must explicitly bind to the server
with a distinguished name. If on, a client might access the
server without binding with a distinguished name and has access to
data as a member of the cn=anybody group. See Using access control for more information about access control
of directory data.
Default = on
- altServer ldap_URL
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
an equivalent server to this LDAP server. It might not be a replica,
but contains the same naming contexts. There is no required format
for the value, however, LDAP URL format is most commonly used and
supported by LDAP clients. See page listen ldap_URL for
a description of LDAP URL format. The option might be specified multiple
times to define more than one alternate server. The alternate servers
are placed in the altServer attribute in the root DSE and can
be queried by LDAP clients to determine other servers that might be
contacted in case this server is not available at some later time.
In
the following example,
myldap.server.com is the host
name and
3389 is the port number of the LDAP directory
URL:
altServer ldap://myldap.server.com:3389
In
the following example,
5f1b:df00:ce3e:e200:20:800:2078:e3e3
is
the IPv6 address and
389 is the port number of the
LDAP URL:
altServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
- armName name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the name that the LDAP server uses when registering
with the Automatic Restart Management (ARM) service. The name is 1-7
characters and can consist of letters, numbers, and the special characters
'$ # @ _'. Lowercase letters are converted to uppercase. The first
character might be a number. The system name is appended to form the
element name. The armName configuration option must be specified
if there are multiple instances of the LDAP server on the same system
and ARM processing is enabled. See z/OS MVS Setting Up a Sysplex for
more information about automatic restart manager.
For example,
for system DCESEC4, specifying:
armName LDAP1
results
in the element name
LDAP1_DCESEC4.
The LDAP
server registers with ARM using the element name formed from the armName configuration
option, an element type of SYSLDAP, an element bind of CURJOB, and
a termination type of ELEMTERM. See the description of the IXCARM
macro in z/OS MVS Programming: Sysplex Services Reference for
more information about these parameters and how to override them using
the current ARM policy.
Default = GLDSRVR
- attrOverflowCount count
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
For TDBM, specifies the number of attribute values required
to store the attribute values in a long attribute value table. The
choice of this value allows large multi-valued attributes such as
group membership lists to be stored in a separate table with its own
index.
For LDBM and CDBM, specifies the number of attribute
values required to store the attribute values in an internal indexed
table, providing quicker access to the values of large multi-valued
attributes such as group membership lists.
The value must be
either 0 or in the range 64 to 2147483647. A value of 0 disables
attribute overflow based on the attribute value count.
Default
= 512
- attrOverflowSize num-of-bytes
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies, in bytes, the minimum size of an attribute
value required to store the value in a long attribute value table.
The choice of this value allows large attribute values (such as JPEG and GIF files)
to be stored in a separate DB2® table
in a separate DB2 table space.
The maximum size of this value is 2147483647. A value of 0 disables
attribute overflow based on attribute size.
Default = 255
- audit {on | off | all,operations | error,operations |
none,operations}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Turns LDAP auditing on or off and specifies which operations
are to be audited and the associated audit level. When auditing is
on, an LDAP SMF type 83 subtype 3 audit record is generated for an
operation if the operation is specified on an audit option
and the operation result matches the audit level.
This option
can be specified multiple times, once to turn auditing on or off and
once or more times for each audit level to specify the operations
to audit for that level. Multiple operations can be specified for
a level by either putting a + between them on the audit option
or by specifying multiple audit options with the same level.
Operations
can be audited all the time or only when they fail. The following
audit levels are supported:
- all
- An LDAP audit record is generated for the specified operations.
- error
- An LDAP audit record is generated for the specified operations
when they fail.
- none
- An LDAP audit record is not generated for the specified operations.
The supported values for operations can
be one or more of: add, bind, compare, connect, delete, disconnect,
exop, modify, modifydn, search, unbind.
If an operation
is specified in more than one level, the last level is used for the
operation. If an operation is not specified in any level, the level
defaults to none for that operation.
The LDAP server AUDIT operator
modify command can be used to change the audit settings and to turn
audit on or off while the LDAP server is running. See LDAP server operator commands for more information.
Default = off
For
example, the following
audit options turn on auditing for modify,
search, and bind failures and for all add operations. The other operations
are not audited.
audit error,modify+search+bind
audit all,add
audit on
- changeLogging {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
|
|
X |
|
|
Turns change logging on or off.
When change logging
is on, all change logging operations are allowed. When change logging
is off, change log entries can be searched, modified, and deleted,
but no new change log entries can be created and no automatic trimming
of the change log is performed.
Default = on
- changeLoggingParticipant {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
X |
X |
|
Allows/disallows change logging for changes made to entries
in this backend. When specified in GDBM, changeLoggingParticipant controls
the logging of modifications to the LDAP server schema entry.
Note: This
option does not turn on or off change logging. That is done by the changeLogging option.
Default
= on
- changeLogMaxAge nnn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
|
|
X |
|
|
Specifies the maximum age in seconds of an entry in the
change log. Change log entries are deleted when they have been in
the change log longer than this value, except if changeLogging
off is specified. The value must be between 0 and 2147483647.
A value of 0 indicates that there is no maximum.
Default = 0
- changeLogMaxEntries nnn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
|
|
X |
|
|
Specifies the maximum number of entries that the change
log can contain. If the number of change log entries exceeds this
value and changeLogging off is not specified, change log entries
with the lowest change numbers are deleted. If the change log is DB2-based,
change log entries are deleted until the number of remaining entries
is 95% of the maximum. If the change log is file-based, change log
entries are deleted until the number of remaining entries is the maximum.
The value must be between 0 and 2147483647. A value of 0 indicates
that there is no maximum.
Default = 0
- commitCheckpointEntries nnn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
X |
|
X |
X |
|
Specifies the maximum number of entries in the checkpoint
file. An entry is added to the LDBM, CDBM, or file-based GDBM checkpoint
file each time a directory entry is added, changed, deleted, or
renamed. When the maximum number is reached, the entries in the checkpoint
file are merged into the database file and the entries are removed
from the checkpoint file. The value must be between 0 and 2147483647.
A value of 0 indicates there is no maximum.
Default = 10000
- commitCheckpointTOD hh:mm
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
X |
|
X |
X |
|
Specifies a time of day at which the checkpoint file is
merged into the database file. An entry is added to the LDBM, CDBM,
or file-based GDBM checkpoint file each time a directory entry
is added, changed, deleted, or renamed. Every day at the specified
time, the entries in the checkpoint file are merged into the database
file and the entries are removed from the checkpoint file. The value
must be between 00:00 and 23:59. Specify a value outside this range
to disable time of day checkpoint processing.
Default = 00:00
- commThreads num-threads
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the number of threads to be initialized for the communication thread
pool. This thread pool handles the connections between the LDAP server
and its clients. You might want to have the commThreads set
to approximately two times the number of processors that are running
in your LPAR. However, this is a general rule depending upon the activity
that your LDAP server experiences.
Default = 10
The commThreads option
deprecates the maxThreads and waitingThreads options,
that are no longer evaluated by the LDAP server.
- database dbtype dblibpath [name]
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
X |
X |
X |
X |
Marks the beginning of a new database section. All global
options must appear before the first database section. All options
after the database option pertain to this backend until another database option
is encountered.
- For dbtype:
- Specify tdbm (DB2-based), ldbm (file-based), sdbm (RACF-based), gdbm (DB2-based
or file-based), cdbm (file-based), or exop (extended
operations).
Notes: - The server compatibility level must be at least 5 when
the CDBM backend is configured. See page serverCompatLevel {3 | 4 | 5 | 6 | 7} for
more information about the serverCompatLevel configuration
option.
- The EXOP backend is deprecated.
- For dblibpath:
- This is the file name of the shared library (DLL) containing the
backend database code. Unless you have changed the names of the LDAP
DLLs, specify GLDBTD31/GLDBTD64 when dbtype is tdbm, GLDBLD31/GLDBLD64 when dbtype is ldbm, GLDBSD31/GLDBSD64 when dbtype is sdbm, GLDBGD31/GLDBGD64 when dbtype is gdbm, GLDBCD31/GLDBCD64 when dbtype is cdbm,
and GLDXPD31/GLDXPD64 when dbtype is exop.
Notes: - Both DLL names must be specified for dblibpath as shown
above. For example, to use the SDBM backend, specify the following
in the LDAP server configuration file:
database sdbm GLDBSD31/GLDBSD64
- In the job log, the LDAP server writes the DLL name that is loaded
by the LDAP server. For example, if the LDAP server is run in 31-bit
mode with the SDBM backend enabled, the following is written to the
job log:
database sdbm GLDBSD31 SDBM-0003
If
the LDAP server is run in 64-bit mode with the SDBM backend enabled,
the following is written to the job log:
database sdbm GLDBSD64 SDBM-0003
- For name:
- This value is a name that is used to identify this backend. You
cannot specify schema, rootDSE, or Monitor as the name.
A name is generated if no name is specified for a backend. However,
a name must be specified if the multiserver on option is specified
for this backend and the name must not be longer than 8 characters.
In addition, when multi-server mode is active, the same name must
be specified for each instance of the backend within the cross-system
group.
- databaseDirectory name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
X |
|
X |
X |
|
Specifies the name of the directory containing the data
files used by the backend to store directory data. A fully-qualified
directory path must be specified. A unique directory must be specified
for each backend. In addition, when multi-server mode is active, the
same directory path must be specified for each instance of the backend
within the cross-system group.
LDBM Default = /var/ldap/ldbm
GDBM
Default = /var/ldap/gdbm
CDBM Default = /var/ldap/schema if schemaPath
not specified, else schemaPath option setting
- dbuserid userid
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies
a z/OS user
ID that is the owner of the DB2 tables.
When specified in a GDBM backend section, this option indicates that
the GDBM backend is DB2-based and not file-based.
Note: The dbuserid value
must be unique within the configuration file. Multiple backends on
an LDAP server cannot share a database.
- db2StartUpRetryInterval num-seconds
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the number of seconds the LDAP server waits before
each DB2 connection retry attempt
as a consequence of the initial DB2 connection
failure.
During LDAP initialization, an initial attempt at establishing
a DB2 connection is made if
at least one DB2based backend
is defined. If the connection attempt is unsuccessful and the LDAP
server is set up to wait for DB2,
the LDAP server retries the connection for a specified number of times,
waiting for db2StartUpRetryInterval seconds before each retry
attempt. While waiting for a connection to DB2, the LDAP server does not receive requests.
The value must be between 1 and 999.
Note: db2StartUpRetryInterval is
ignored if no DB2-based backend (TDBM and DB2-based GDBM) is defined
or if the db2StartUpRetryLimit configuration option has a zero
value or is not specified.
Default = 45
- db2StartUpRetryLimit num-retries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies a limit of the number of DB2 connection retries the LDAP server attempts
as a result of the initial DB2 connection
failure.
During LDAP initialization, an initial attempt at establishing
a DB2 connection is made if
at least one DB2-based backend is defined. If the connection attempt
is unsuccessful and db2StartUpRetryLimit has a non-zero value,
the LDAP server retries the connection for the specified db2StartUpRetryLimit times,
waiting for the specified db2StartUpRetryInterval number of
seconds before each retry attempt. When the number of retry attempts
equals db2StartUpRetryLimit and a connection to DB2 still cannot be established, all backends
that require DB2 fail to configure.
While waiting for a connection to DB2,
the LDAP server does not receive requests. The value must be between
0 and 99. A value of 0 indicates that no DB2 connection
retries are to be attempted.
Note: db2StartUpRetryLimit is
ignored if no DB2-based backend (TDBM and DB2-based GDBM) is defined.
Default
= 0
- db2Terminate {terminate | recover | restore}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies how the LDAP server will react to a termination
of DB2 after the server successfully
starts.
If set to terminate, the LDAP server shuts down.
If
set to recover or restore, the LDAP server disconnects
from DB2 but remain running
to allow access to non-DB2 backends (for example, SDBM, LDBM, CDBM,
and file-based GDBM). When DB2 is
once again active, the LDAP server reconnects to DB2. There is no access allowed to DB2-based
backends (TDBM and DB2-based GDBM) during the time when DB2 is down. Client requests to those backend
are rejected with LDAP_UNAVAILABLE return code and a reason code message
that includes "DB2 Unavailable".
Note: db2Terminate is
ignored and no DB2 monitoring
is done if no DB2-based backend (TDBM and DB2-based GDBM) is configured.
If
using a sysplex distributor, this configuration option is set to terminate.
This allows client requests to be routed to other LDAP servers in
the sysplex who can connect to their databases.
Default = recover
- digestRealm hostname
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies a realm name to be used when doing DIGEST-MD5
or CRAM-MD5 SASL authentication binds to the LDAP server. The digestRealm is
used to help calculate a hash for DIGEST-MD5 and CRAM-MD5 authentication
binds. Make sure that the hostname is a DNS-host name and
not an IP address.
Default = fully qualified host name of the
LDAP server if a DNS (Domain Name Server) is active on the system.
Otherwise, the default is the name of the host processor.
- dnCacheSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the maximum number of entries to store in the
Distinguished Name normalization cache. This cache holds information
related to the mapping of Distinguished Names between their raw form
and their canonical form. Retrieval of information from this cache
reduces processing required to locate entries in the database.
The
maximum size of this value is 2147483647. A value of 0 indicates
that the cache is not used.
Default = 1000
- dnToEidCacheSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies the maximum number of entries to store in the
Distinguished Name to Entry Identifier mapping cache. This cache
holds information related to the mapping of Distinguished Names in
their canonical form and their Entry Identifier within the database.
Retrieval of information from this cache avoids database read operations
when locating entries within the database.
The maximum size
of this value is 2147483647. A value of 0 indicates that the cache
is not used.
Default = 1000
- dsnaoini dsname
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies the name of the CLI
Initialization file or sequential data set (or PDS member) you created
in step 4 in Getting DB2 installed and set up for CLI and ODBC. This must be either a fully-qualified
data set name, a DD name, or a path name. A data set name is not enclosed
in quotation marks or prefixed with '//', a DD name starts with '//:',
and a path name starts with '/' or './'.
There are three ways
to specify the CLI initialization file and the search order is as
follows:
- The DSNAOINI DD statement in the JCL for the LDAP server started
task
- The DSNAOINI environment variable
- The dsnaoini configuration option. If the dsnaoini configuration
option is specified for a backend, the option must also be specified,
with the same value, for all the TDBM and DB2-based GDBM backends
in the configuration file.
Running the LDAP server using data sets gives more information about this process.
See the DB2 information in IBM Information Management Software
for z/OS Solutions Information Center for details on ways to
specify the CLI initialization file. In order for the TDBM or GDBM
backend to run, the initialization file must be specified in one of
the ways indicated.
- enableResources {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
|
X |
|
|
|
Specifies whether the SDBM backend supports operations
on RACF® resources and classes.
If on, SDBM accepts operations for the setropts, class, and
resource profile entries. LDAP also accepts requests for creating
a change log entry for a change to a RACF resource
profile. If off, an SDBM search from the suffix does not return
these entries and operations (including a change log request) involving
these entries are rejected.
Default = off
- entryCacheSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies the maximum number of entries to store in the
Entry cache. This cache holds information contained within individual
entries in the database. Retrieval of information from this cache
avoids database read operations when processing entries within the
database.
The maximum size of this value is 2147483647. A value
of 0 indicates that the cache is not used.
Default = 5000
- entryOwnerCacheSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies the maximum number of entries to store in the
entry owner cache. This cache holds information regarding ACL definitions
within the database. Retrieval of information from this cache avoids
database read operations when resolving access permissions.
The
maximum size of this value is 2147483647. A value of 0 indicates
that the cache is not used.
Default = 100
- extendedGroupSearching {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Specifies whether
a backend participates in extended group membership searching on
a client bind request. If this option is on, group
memberships are gathered from this backend during LDAP directory bind
processing in addition to the backend in which the bind DN exists.
If this option is off, group memberships are not gathered
from this backend unless the bind DN exists in this backend.
See Associating DNs, access groups, and additional bind and directory entry access information with a bound user for information about group gathering after
a successful bind.
The server
control authenticateOnly is supported by the LDAP
server so that a client can override both extendedGroupSearching and
group membership gathering from the backend where the DN exists. See Supported server controls for more information.
This option
applies only to the backend in which it is defined.
Default
= off
- fileTerminate {terminate | recover}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
X |
|
X |
X |
|
Specifies whether the LDAP server ends when file system
errors occur. If terminate, the LDAP server ends when a file
system error is detected. If recover, the LDAP server continues
processing, but the backend experiencing the file system error is
set to read-only mode. No updates can be made to the directory controlled
by this backend. When the problem is corrected, the backend can be
reset to read/write mode using the LDAP server BACKEND operator modify
command. See LDAP server operator commands for information about
the LDAP server BACKEND modify command.
Default = recover
- filterCacheBypassLimit num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
X |
X |
|
Specifies the maximum number of returned entries allowed
in the result set of any individual search that is stored in the Search
Filter cache. Search filters that match more than this number of
entries are not added to the Search Filter cache. This option is
useful for maintaining the effectiveness of the Search Filter cache
and Entry cache. It can be used to prevent a few search requests
with large result sets from dominating the contents of the Entry cache.
The
value must be in the range of 1 to 250. This option is ignored when
the filter cache is not in use.
Default = 100.
- filterCacheSize num-filters
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
X |
X |
|
Specifies the maximum number of filters to store in the
Search Filter cache. This cache holds information related to the
mapping of search request inputs and the result set. Retrieval of
information from this cache avoids database read operations when processing
search requests. Individual search requests which return more entries
than specified in the filterCacheBypassLimit option are not
placed in the cache.
The maximum size of this value is 2147483647.
A value of 0 indicates that the cache is not used.
TDBM Default = 500
LDBM Default = 5000
CDBM Default = 5000
GDBM Default = 0
- idleConnectionTimeout num-seconds
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the amount of time in
seconds that the LDAP server waits for an idle connection or an idle
paged search result set. When an idle connection times out, the client
connection is dropped. When an idle paged search result set times
out, the paged search result set is abandoned. Idle connections and
idle paged search result sets are detected by the LDAP servers network
monitor task, which checks for them every 30 seconds. Therefore, it
is possible for an idle connection or idle paged search result set
to remain active slightly longer than the idleConnectionTimeout value.
The
value must be either 0 or between 30 and 2147483647. A value of 0
indicates that an idle connection or idle paged search results remains
active indefinitely.
Default = 0 (indefinitely)
Suggested
value = 1800 (30 minutes)
- include filename [systemName]
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
X |
X |
X |
X |
X |
X |
Specifies the path and file name of a file to be included
as a part of the LDAP server configuration.
See Specifying a value for filename for information about specifying filename.
Note
the LDAP server does not detect loop conditions in a set of included
files. Configuration might encounter errors or fail if the same file
is processed more than once. While nested include files are supported,
including the same file in such a way as to form a loop condition
is not supported.
If the system name is specified, the include
file is processed only on that system. This allows the LDAP server
configuration files to be shared by multiple servers where each server
runs on a different z/OS® system.
System-specific configuration information can then be placed in an
include file that is processed only on the system that it applies.
- krbIdentityMap {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
X |
|
X |
|
Specifies
if this backend participates in Kerberos identity mapping. If it participates,
then the server attempts to map the Kerberos identity that performed
the bind to DNs that exist in this backend. The mapped DNs are then
used for access control.
Default = off
- krbKeytab {krbKeytab | none}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the Kerberos key table that is used by the LDAP server. The key table
is used to obtain the encryption key for the Kerberos principal associated
with the LDAP server. A key table must be provided if Kerberos authentication
is used and the Kerberos KDC is not running on the same system as
the LDAP server. However, a key table is not necessary if the Kerberos
KDC is running on the same system as the LDAP server, the user ID
associated with the LDAP server has a RACF KERB
segment containing the server principal name, and the user ID associated
with the LDAP server has read permission to the IRR.RUSERMAP facility
class when the
KRB5_SERVER_KEYTAB environment variable in the
security server configuration file (
krb5.conf) is set to 1.
In these cases, the
krbKeytab option is either omitted or set
to none. Following is an example:
krbKeytab /home/users/u1/keytab
Default
= no value
- krbLDAPAdmin kerberosIdentityDN
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the Kerberos identity that
represents the LDAP root administrator. This option allows the root
administrator to bind through Kerberos and still maintain administrative
authority. The value for this option must be specified as a DN with
the attribute type of
ibm-kn. The
ibm-kn attribute type
is case-sensitive and must match the actual Kerberos identity. Following
is an example:
krbLDAPAdmin ibm-kn=LDAPAdmin@MYREALM.COM
For
information about specifying a value for a distinguished name for
this option, see Specifying a value for a distinguished name.
- listen ldap_URL
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies,
in LDAP URL format, the IP address (or host name) and the port number
where the LDAP server listens to incoming client requests. This option
might be specified more than once in the configuration file.
Note
the listen value might be established in the configuration
file, or it might be established using the -l command-line
parameter when starting the LDAP server (see Setting up and running the LDAP server).
Default
= The server listens on all available and active IPv4 addresses, using
port 389. This is equivalent to ldap://:389.
The
format of
ldap_URL for the
listen option to listen on
a TCP/IP socket interface is the following. This format is also used
for other configuration options whose value is in LDAP URL format,
such as
altServer, masterServer, and
referral.
{ldap:// | ldaps://}[IP_address | hostname | INADDR_ANY | in6addr_any][:portNumber]
The
format of
ldap_URL for the
listen option to listen on
the Program Call interface is the following:
ldap://:pc
where:
- ldap://
- Specifies that the server listen on nonsecure addresses or ports.
Note if SSL/TLS is configured for the server, then once a connection
is established, the client might switch to secure communication using
the Start TLS extended operation. Consider specifying INADDR_ANY or in6addr_any (see
below), as this allows the z/OS Communications
Server to determine the active interfaces rather than the LDAP server.
This is preferable, especially in CINET environments with multiple
TCP/IP stacks.
- ldaps://
- Specifies that the server listen on secure addresses or ports.
When a connection is established to the server, the client must begin
the SSL/TLS handshake protocol. The sslKeyRingFile option
must also be specified when using this format. Consider specifying INADDR_ANY or in6addr_any (see
below), as this allows the z/OS Communications
Server to determine the active interfaces rather than the LDAP server.
This is preferable, especially in CINET environments with multiple
TCP/IP stacks.
- IP_address
- Specifies either the IPv4 or IPv6 address.
- hostname
- Specifies the host name. If the host name is used for the listen option,
all the IPv4 or IPv6 addresses associated with the hostname are
obtained from the DNS (Domain Name Server) and the LDAP server listens
on each of these active and available IP addresses.
- INADDR_ANY
- Specifies the INADDR_ANY interface. If specified, the z/OS Communications Server determines
the active and available IPv4 TCP/IP interfaces on the system that
the LDAP server binds and listens for requests. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for
more information about the INADDR_ANY interface.
- in6addr_any
- Specifies the in6addr_any interface. If specified, the z/OS Communications Server determines
the active and available IPv4 and IPv6 TCP/IP interfaces on the system
that the LDAP server binds and listens for requests. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for
more information about the in6addr_any interface.
- portNumber
- Specifies the port number. The portNumber is optional.
If the port number is not specified for an ldap://, then the
default of 389 is used for nonsecure connections. If the port number
is not specified for an ldaps://, then the default of 636 is
used for secure connections.
If the serverSysplexGroup option is present in the
configuration file, the port number specified for this server instance
must be the same as the port number specified for all other members
of the sysplex group for dynamic workload balancing to function properly.
It
is advisable to reserve the port number or numbers chosen here in
your TCP/IP profile data set. Also, be aware that port numbers below
1024 might require additional specifications. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for
more information.
- pc
- Specifies that the LDAP server listens for program call (PC) calls
from RACF change logging using
the z/OS Security Authorization
Facility (SAF) interface. Only one LDAP server on a system can listen
for PC calls.
Note when the listen option is initialized
to listen for PC calls on the LDAP server, the listen parameter
must not include an IP address or a host name and you cannot specify ldaps.
Following
are some examples of how you can specify ldap_URL.
- If you specify:
ldap://
the LDAP server
binds and listens on all active and available IPv4 addresses on the
system on the nonsecure default port of 389 for incoming
client requests. Note this is not the same as ldap://INADDR_ANY,
which listens specifically on the INADDR_ANY interface on the
nonsecure default port of 389, or the ldap://in6addr_any,
which listens specifically on the in6addr_any interface on
the nonsecure default port of 389.
- If you specify:
ldap://us.endicott.ibm.com:489
the
LDAP server binds and listens on all active and available IPv4 and
IPv6 addresses associated with the host name us.endicott.ibm.com on
the nonsecure port of 489 for incoming client requests.
- If you specify:
ldap://9.130.77.27
the
LDAP server binds and listens on IPv4 address 9.130.77.27 on
the default nonsecure port of 389 for incoming client
requests.
- If you specify:
ldaps://us.endicott.ibm.com
the
LDAP server binds and listens on all active and available IPv4 and
IPv6 addresses associated with the host name us.endicott.ibm.com on
the default secure port of 636 for incoming client
requests.
- If you specify:
ldaps://9.130.77.27:736
the
LDAP server binds and listens on IPv4 address 9.130.77.27 on
the secure port of 736 for incoming client requests.
- If you specify:
ldap://:489
the LDAP server
binds and listens on all active and available IPv4 addresses on the
system on the nonsecure port of 489 for incoming
client requests. Note that this is not the same as ldap://INADDR_ANY:489,
which listens specifically on the INADDR_ANY interface on
the nonsecure port of 489, or ldap://in6addr_any:489,
which listens specifically on the in6addr_any interface on
the nonsecure port of 489.
- If you specify:
ldaps://:777
the LDAP server
binds and listens on all active and available IPv4 addresses on the
system on the secure port of 777 for incoming client
requests. Note that this is not the same as ldaps://INADDR_ANY:777,
which listens specifically on the INADDR_ANY interface on
the secure port of 777, or ldaps://in6addr_any:777,
which listens specifically on the in6addr_any interface on
the secure port of 777.
- If you specify:
ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
the
LDAP server binds and listens on the IPv6 address
5f1b:df00:ce3e:e200:20:800:2078:e3e3 on
the nonsecure port of
389 for incoming client requests.
- If you specify:
ldaps://[::ffff:9.130.77.75]:777
the
LDAP server binds and listens on the IPv4 mapped IPv6 address ::ffff:9.130.77.75 on
the secure port of 777 for incoming client requests.
- If you specify:
ldap://[::]
the LDAP server
binds and listens on all active and available IPv4 and IPv6 addresses
on the system on the nonsecure default port of 389 for
incoming client requests. Note this is not the same as ldap://INADDR_ANY,
which listens specifically on the INADDR_ANY interface on the
nonsecure default port of 389, or ldap://in6addr_any,
which listens specifically on the in6addr_any interface on
the nonsecure default port of 389.
- If you specify:
ldap://:pc
the LDAP server
binds and listens for PC calls from RACF change
logging using the SAF interface in to the server.
Note: The listen parameter deprecates the security, port,
and securePort options in the configuration file. If there
is a listen option specified in the configuration file along
with either security, port, or securePort, the listen option
takes precedence over what has been specified for security, port,
or securePort. If using an earlier version of the configuration
file with security, port, or securePort, the
LDAP server is configured to listen on the port numbers specified
for securePort, port, or both depending upon the security setting.
However, configure the LDAP server using the listen configuration
option.
- logfile filename
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the location of the file where the activity
log is written when logging is enabled. See Activity logging for
more information.
See Specifying a value for filename for
information about specifying the filename.
Default =
/etc/ldap/gldlog.output
- logFileFilter filter
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies a client IP address filter used to determine
the activity that is included or excluded from being logged in the
activity log file. Client requests originating from IP addresses allowed
by the filter are written to the activity log file specified in the logfile configuration
option.
The only supported activity log filters are ones using
the ibm-filterIP attribute type to designate the client IPv4
addresses or IPv6 addresses with no brackets that are to be included
or excluded from the activity log file. Host names and subnet masks
are not supported in these filters. See Activity logging for
more information.
Default = ibm-filterIP=*
- logFileRolloverDirectory name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the name of the z/OS UNIX System Services file system
directory where the activity log files are archived or rolled over
or the Generated Data Group (GDG) base data set. If a z/OS UNIX System
Services file system directory is specified, it must be a fully-qualified
directory path. This option is ignored if a sequential or partitioned
data set is specified for the logfile configuration option.
If the logfile configuration option specifies a file that exists
in a z/OS UNIX System Services file system directory and
this option is not specified, the archived or rolled over activity
log file is kept in the same directory. See Activity logging for
more information about activity log archiving or roll over.
Default
= Directory specified by the logfile configuration option
- logFileRolloverSize nnn[K | M | G]
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the maximum size in bytes of the activity log
file. When the maximum size is reached, the activity log file is rolled
over or archived. The value nnn must be between
0 and 2147483647 and can be followed by a K, M, or G to
indicate kilobytes, megabytes, or gigabytes, in that order. Specify
0 to disable activity log file archiving or roll over based on size.
See Activity logging for more information about activity
log archiving or roll over.
Default = 0
- logFileRolloverTOD hh:mm
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the time of day when the activity log file is
archived or rolled over. Every day at the specified time, the current
activity log file is rolled over or archived. The value must be between
00:00 and 23:59. Specify a value outside this range to disable activity
log file archiving or roll over based on time of day. See Activity logging for more information about activity log
archiving or roll over.
Default = 24:00
- masterServer ldap_URL
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
|
|
Specifies for this backend the
location of this replicas master server for basic replication. There
is no required format for the value, however the z/OS LDAP client can only follow a masterServer value
if it is in LDAP URL format. See page listen ldap_URL for
a description of LDAP URL format. The presence of this option indicates
that this LDAP server is a basic replication read-only replica for
this backend and receives updates from a master LDAP server. Any other
update requests for this backend received directly by the LDAP server
is redirected to the master server. You must also specify the masterServerDN option
in this section of the configuration file. The master server must
contain all the suffixes defined for this backend.
The masterServer option
can be specified multiple times if there are multiple master servers.
In this case, the LDAP client attempts to contact each server in the
list until it is able to establish a connection with one of the servers.
The masterServer option
indicates basic replication is configured for this backend section.
Therefore, the masterServer configuration option cannot be
specified if the useAdvancedReplication configuration option
is set to on in the CDBM backend database section.
In
the following example,
myldap.server.com is the host
name and
3389 is the port number of the LDAP URL:
masterServer ldap://myldap.server.com:3389
In
the following example, the IPv6 address of
5f1b:df00:ce3e:e200:20:800:2078:e3e3 is
the IP address and
389 is the port number of the
LDAP URL.
masterServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
- masterServerDN dn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
|
|
Specifies
the distinguished name (DN) can always make updates to this basic
replication read-only replica backend. The value must be in DN format
that is described in Data model. The presence
of this option indicates that this LDAP server is a read-only replica
for this backend and receives updates from a master LDAP server using
the specified DN. The specified DN is a special entry that is only
used when replicating to this read-only replica backend. The DN has
unrestricted update, compare, and search access for all entries in
the backend on this server, even if the LDAP server is in maintenance
mode. When in maintenance mode, only this DN and an LDAP root administrator
can access and update the entries in this backend. All other update
operations for this backend received by the replica server are redirected
to the master server. Care must be taken when updating this backend
to ensure that the replica server remains synchronized with the master
server.
You must also specify the masterServer option
in this section of the configuration file. You cannot specify the peerServerDN option.
The masterServerDN option
indicates basic replication is configured for this backend section.
Therefore, the masterServerDN configuration option cannot be
specified if the useAdvancedReplication configuration option
is set to on in the CDBM backend database section.
You
might want the DN to have the same suffix as one of the suffix option
values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes
how to set up your master server DN.
For information about specifying
a value for a distinguished name for this option, see Specifying a value for a distinguished name.
- masterServerPW string
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
|
|
Specifies the password for the masterServerDN that
can make updates for this backend. This option is only applicable
for a basic replication read-only LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the master
server password.
Note: - Use of the masterServerPW configuration option
is discouraged in production environments. Instead, specify your masterServerDN as
the distinguished name of an existing entry in the directory information
tree, including a userPassword attribute. This eliminates
passwords from the configuration file.
- Password policy does not apply to the entry specified in the masterServerDN configuration
option when the password is specified in the masterServerPW configuration
option.
Note:
The masterServerPW option indicates
basic replication is configured for this backend section. Therefore,
the masterServerPW configuration option cannot be specified
if the useAdvancedReplication configuration option is set to on in
the CDBM backend database section.
- maxConnections num-connections
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the maximum number of concurrently connected clients that the LDAP
server allows.
Range = 30 to 65535
Default = operating
system maximum
The LDAP server limits the number of client connections
by restricting the number of file and socket descriptors used by the
LDAP server. Some of the descriptors are used by the LDAP server for
its own file descriptors and passive socket descriptors. The value
specified for this option takes into account that the server uses
approximately 10 descriptors for internal functions and uses more
depending upon the number of additional sockets used as passive sockets
for connection attempts by clients.
The maximum number of
client connections is further restricted by:
- The maximum number of files a single process can have concurrently
active.
The MAXFILEPROC statement for BPXPRMxx and the FILEPROCMAX
option on the RACF altuser command
are used to set the limit. Only processes with superuser authority
can adjust the limit beyond the limit specified by MAXFILEPROC and
FILEPROCMAX. Attempts to exceed this limit by non-superuser processes
might be audited by the security manager.
- The maximum number of sockets allowed by the TCP/IP socket file
system.
The MAXSOCKETS option on the NETWORK statement for BPXPRMxx
sets this limit.
Setting these limits too high can affect system performance
by using too many resources and deprive other functions of their share
of the same resources.
- multiserver {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
X |
X |
|
Indicates
the operating mode that the LDAP server runs for this backend. Specifying on indicates
the server runs in multi-server mode for this backend (see Determining operational mode). In multi-server mode, the LDAP server
shares directory data with other instances of the LDAP server running
within the sysplex. The serverSyplexGroup configuration option
must also be specified when running in multi-server mode. Specifying off indicates
the server runs in single-server mode for this backend.
Default
= off
You can configure a backend to operate in single-server
mode while another backend operates in multi-server mode except when
GDBM or CDBM is configured. When CDBM or GDBM is configured, all TDBM,
LDBM, GDBM, and CDBM backends must be configured to use the same operating
mode.
- nativeAuthSubtree {all | dn}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Specifies the distinguished name of a subtree
where all of its entries are eligible to participate in native authentication.
This option can appear multiple times to specify all subtrees that
use native authentication. If this option is omitted or is set to all,
then the entire directory is subject to native authentication. This
option is ignored if useNativeAuth selected or all is
not specified.
For information about specifying a value for
a distinguished name for this option, see Specifying a value for a distinguished name.
Default
= all
- nativeUpdateAllowed {on | off | reset}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
When
set to on or reset, enables native password or password
phrase changes in the security server to occur through a modify request
to the TDBM, LDBM, or CDBM backend if the useNativeAuth selected or all option
is specified.
When set to reset, this option also allows
a bind to the backend to succeed even if the specified native authentication
password is expired, if the PasswordPolicy control is included
in the bind request. After the bind, only the special delete-add modification
of the bound user's userPassword attribute can be performed
to reset the native authentication password. Once complete, other
LDAP operations can be performed.
This option does not affect
the ability to change a native password or password phrase during
a bind operation.
Note: z/OS LDAP
password policy does not apply to entries participating in native
authentication.
Default = off
- operationsMonitor {ip | ipAny | all}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the search patterns monitored by the LDAP server.
Operations monitor supports two types of search patterns, that are searchStats and searchIPStats.
A searchStats pattern consists of the search parameters (search
base, scope, filter, and attributes to be returned) and status (SUCCESS
or FAILURE). A searchIPStats pattern consists of the same
elements as in the searchStats pattern, but also includes the
client IP address. If operations monitor is enabled, LDAP monitors
search statistics for the types of search patterns that are configured.
See Operations monitor for more information about operations
monitor.
If set to ip, then only searchIPStats patterns
are monitored. This option setting is useful in determining if there
are any specific clients spamming the LDAP server.
If set to ipAny,
then only searchStats patterns are monitored. This option
is useful for evaluating the performance of search patterns.
If
set to all, the operations monitor monitors both searchStats and searchIPStats patterns.
Therefore, each search is included in two search patterns, one matching
the searchStats pattern and one matching the searchIPStats pattern.
Default
= ipAny
- operationsMonitorSize num-entries
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the maximum number of search patterns for which the operations monitor
gathers statistics. The value must be between 0 and 2147483647.
A value of 0 indicates that the operations monitor is turned off.
When the operations monitor is turned off, the cn=operations,cn=monitor entry
is not returned on a cn=monitor search.
Default = 1000
- pcIdleConnectionTimeout num-seconds
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the amount of time in seconds that an idle connection
remains valid over the LDAP PC (program call) callable interface.
After the specified time, the PC connection is considered no longer
in use and any resources associated with the connection are released.
Idle connections are detected when the LDAP server receives a new
PC connection or a request on an existing PC connection.
The
value must be either 0 or between 30 and 2147483647. A value of 0
indicates that an idle connection remains indefinitely.
Default
= 0 (indefinitely)
Suggested value = 0
- pcThreads num-threads
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the number of threads to be initialized to handle incoming program
call (PC) calls using the z/OS SAF
interface into the LDAP server. No threads are used if the program
call interface is not active. The value must be in the range of 2
to 2147483647.
Default = 10
- peerServerDN dn
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
|
|
Specifies the distinguished name (DN) that can make updates
to this basic replication peer replica backend. The value must be
in DN format that is described in Data model.
The presence of this option indicates that this LDAP server is a peer
replica for this backend, and can receive updates from another peer
LDAP server using the specified DN and processing updates received
from clients. The specified DN is a special entry that is only used
when replicating to this peer replica backend. The DN has unrestricted
update, compare, and search access for all entries in the backend
on this server, even if the LDAP server is in maintenance mode. When
in maintenance mode, only this DN and an LDAP root administrator can
access and update the entries in this backend.
Update operations
for this backend received from you bound as peerServerDN (or
as an LDAP root administrator when in maintenance mode) are performed
on the local database and are not sent to any peer and read-only replica
servers. When not in maintenance mode, all other update operations
for this backend are performed on the local database and are sent
to the other peer and read-only replica servers. Update operations
from a peer or a master are never replicated. It does not matter if
you are in maintenance mode or not. Updates made by an LDAP root administrator
are replicated unless the server is in maintenance mode.
You
cannot also specify the masterServerDN option in this section
of the configuration file.
The peerServerDN option indicates
basic peer-to-peer replication is configured for this backend section.
Therefore, the peerServerDN configuration option cannot be
specified if the useAdvancedReplication configuration option
is set to on in the CDBM backend database section.
You
might want the DN to have the same suffix as one of the suffix option
values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes
how to set up your peer replica DN.
For information about specifying
a value for a distinguished name for this option, see Specifying a value for a distinguished name.
- peerServerPW string
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
|
|
Specifies the password for the peerServerDN that
can make updates for this backend. This option is only applicable
for a basic replication peer replica LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the peer
server password.
Note: - Use of the peerServerPW configuration option
is discouraged in production environments. Instead, specify your peerServerDN as
the distinguished name of an existing entry in the directory information
tree, including a userPassword attribute. This eliminates
passwords from the configuration file.
The peerServerPW option
indicates basic peer-to-peer replication is configured for this backend
section. Therefore, the peerServerPW configuration option cannot
be specified if the useAdvancedReplication configuration option
is set to on in the CDBM backend database section.
- Password policy does not apply to the entry specified in the peerServerDN configuration
option when the password is specified in the peerServerPW configuration
option.
- persistentSearch {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
X |
X |
|
Allows or disallows
persistent search for changes made to entries in a backend. When off is
specified, persistent search requests for this backend are rejected.
See PersistentSearch for more information about persistent
search.
Default = off
- plugin pluginType pluginName pluginInit [pluginParameters]
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Defines a plug-in extension to the LDAP server. Writing
an LDAP server plug-in and using the SLAPI service routines are described
in
z/OS IBM Tivoli Directory Server Plug-in Reference for z/OS.
A sample plug-in and its makefile are included in
/usr/lpp/ldap/examples.
Building and using the sample plug-in are described in the
z/OS IBM Tivoli Directory Server Plug-in Reference for z/OS.
- For pluginType:
- Specify preOperation, clientOperation or postOperation.
A preOperation plug-in is called by the LDAP server before
a client request is processed. A clientOperation plug-in is
called to process a client request. A postOperation plug-in
is called after a client request is processed. A clientOperation plug-in
is called when a client request matches a distinguished name suffix
or extended operation object identifier registered for the plug-in.
- For pluginName:
- Specify the name of the shared library (DLL) containing the plug-in
code. A plug-in that supports both 31-bit and 64-bit addressing modes
specifies both file names separated by a slash, "/", such as plugin31/plugin64.
A plug-in that supports only 31-bit addressing mode specifies one
file name, such as plugin31.
- For pluginInit:
- Specify the name of the plug-in initialization routine. This
plug-in routine is called by the LDAP server to allow the plug-in
to initialize. The plug-in initialization routine registers supported
message types, distinguished name suffixes, and extended operation
object identifiers supported by the plug-in.
- For pluginParameters:
- Optionally, specify plug-in parameters. The plug-in can retrieve
these parameters using the slapi_pblock_get() routine.
The ICTX and remote crypto plug-ins are plug-in
extensions that are shipped by the z/OS LDAP
server that provide more function.
- The ICTX plug-in allows resource managers that do not exist on z/OS to centralize authorization
decisions and security event logging requests by using RACF. This enables consolidation of security
authorization and auditing functions. See ICTX plug-in for more information.
- The remote crypto plug-in allows remote applications
the ability to access PKCS#11 or CCA callable services implemented
within ICSF. PKCS#11 is one of the cryptographic standards of Public-Key
Cryptographic Standards (PKCS) that defines a platform-independent
programming interface to cryptographic tokens. CCA is in reference
to the IBM® Common Cryptographic
Architecture. See Remote crypto
plug-in for more information.
- port num-port
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Note: The
port option has
been deprecated by the
listen option. See page
listen ldap_URL for information about the
listen option.
Specifies
the TCP/IP port used by the LDAP server for non-SSL communications.
The value must be in the range of 1 to 65535.
Default = 389
If
the serverSysplexGroup option is present in the configuration
file, the port number specified for this server instance must be the
same as the port number specified for all other members of the sysplex
group for dynamic workload balancing to function properly.
The
port number might be established in the configuration file, or it
might be established using the -p command-line parameter when
starting the LDAP server (see Setting up and running the LDAP server).
It
is advisable to reserve the port number chosen here in your TCP/IP
profile data set. Also, be aware that port numbers below 1024 might
require additional specifications. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for
further information.
- pwCryptCompat {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Specifies whether to use an EBCDIC version or a UTF-8 version
of the crypt() algorithm to hash passwords when pwEncryption crypt is
contained in this section of the configuration file. If on,
the EBCDIC version of the crypt() algorithm is used. This is what
the z/OS Integrated Security
Services LDAP server used. If off, the UTF-8 version is used.
Note ASCII is a subset of UTF-8. When sharing LDAP directory data
between z/OS and an ASCII-based
platform, specify pwCryptCompat off to ensure that the hashed
value is the same on both platforms.
Default = on
- pwEncryption {none | crypt | MD5 | SHA | SSHA | DES:keylabel |
AES:keylabel}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Specifies
what encryption or hashing method to use when storing the userPassword and ibm-slapdAdminPw attribute
values in the backend of the directory.
- none
- Specifies no encryption. The userPassword and ibm-slapdAdminPw attribute
values are stored in clear text format. The stored values are prefixed
with the tag {none}. The original value, without the tag, is returned
for a search request.
- crypt
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the crypt() algorithm before they are stored
in the directory. The stored values are prefixed with the tag {crypt}.
There are two versions of the crypt() algorithm: an EBCDIC-based version
and a UTF-8-based version. See the pwCryptCompat option and
the notes below for information about selecting which version to use.
The original password value cannot be retrieved in clear text format.
The tag and the hashed value are returned for a search request.
- MD5
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the MD5 hashing algorithm before they are stored
in the directory. The stored values are prefixed with the tag {MD5}.
The original password value cannot be retrieved in clear text format.
The tag and the hashed value are returned for a search request.
- SHA
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the SHA hashing algorithm before they are stored
in the directory. The stored values are prefixed with the tag {SHA}.
The original password value cannot be retrieved in clear text format.
The tag and the hashed value are returned for a search request.
- SSHA
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the Salted SHA (SSHA) hashing algorithm before
they are stored in the directory. The stored values are prefixed with
the tag {SSHA}. The original password value cannot be retrieved in
clear text format. The tag and the base64-encoded hashed and salt
values are returned for a search request.
- SHA224, SHA256, SHA384, SHA512
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the specified SHA-2 hashing algorithm before
they are stored in the directory. The stored values are prefixed
with the specified tag (for example, {SHA224}). The original password
value cannot be retrieved in clear text format. The tag and the base64-encoded
hashed value are returned for a search request.
- SSHA224, SSHA256, SSHA384, SSHA512
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are hashed by the specified Salted SHA-2 hashing algorithm
before they are stored in the directory. The stored values are prefixed
with the specified tag (for example, {SSHA224}). The original password
value cannot be retrieved in clear text format. The tag and the base64-encoded
hashed and salt values are returned for a search request.
- DES:keylabel
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are encrypted by the DES algorithm before they are stored in
the directory. The stored values are prefixed with the tag '{DES:keylabel}'.
The original password value, without the tag, is returned for a search
request. The key label must refer to either a valid data-encrypting
key generated by the KGUP utility and stored in the ICSF CKDS or to
an entry in the data set referenced by the LDAPKEYS DD statement.
See Symmetric encryption keys for more information.
- AES:keylabel
- Specifies that userPassword and ibm-slapdAdminPw attribute
values are encrypted by the AES algorithm using the specified key
label before they are stored in the directory. The stored values are
prefixed with the tag {AES:keylabel}. The original
password value without the tag is returned for a search request. The
key label must refer to either a valid data-encrypting key generated
by the KGUP utility and stored in the ICSF CKDS or to an entry in
the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
Note: - When a password is stored in a TDBM, LDBM, or CDBM backend, it
is prefixed with the appropriate encryption tag so that when a clear
text password is sent on an LDAP API simple bind it can be encrypted
or hashed in that same method for password verification.
- The crypt algorithm, implemented across many platforms, accepts
only the first eight characters of a password. As a result, any password
supplied on a bind or compare operation that matches the first eight
characters of a userPassword attribute value hashed
with the crypt algorithm in the directory matches.
- When the pwCryptCompat option is set to on, the
values hashed using the crypt algorithm are not portable to other
X/Open-conformant systems if the userPassword and ibm-slapdAdminPw attribute
values are unloaded using the ds2ldif utility with the -t command-line
parameter and loaded by another platform's load utility. If the pwCryptCompat option
is set to off, the values hashed using the crypt algorithm
are portable to other X/Open-conformant systems if the userPassword and ibm-slapdAdminPw attribute
values are unloaded using the ds2ldif utility with the -t command-line
parameter. The output LDIF file from ds2ldif can then be loaded
using another platform's load utility.
- If a tagged encrypted or hashed userPassword and ibm-slapdAdminPw attribute
values is included in an add or modify operation, the attribute value
is added as it is with no additional encryption or hashing performed
on the value even if the pwEncryption configuration option
is set to a different type of encryption or hashing.
Default = none
- pwSearchOutput {binary | base64}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the format of MD5 and SHA hashed userPassword and ibm-slapdAdminPw attribute
values when retrieved on a search operation. This option does not
affect the retrieval of Salted SHA (SSHA), SHA-2, or Salted SHA-2
hashed userPassword and ibm-slapdAdminPw attribute values
on a search operation.
If set to binary and a userPassword or ibm-slapdAdminPw attribute
value is hashed in MD5 or SHA, the LDAP server returns the encryption
tag (either {MD5} or {SHA}) in UTF-8 followed by the binary hash.
If
set to base64 and a userPassword or ibm-slapdAdminPw attribute
value is hashed in MD5 or SHA, the LDAP server returns the encryption
tag (either {MD5} or {SHA}) in UTF-8 followed by the base64-encoded
binary hash.
For an example of using this option, see One-way hashing formats.
Default = binary
- readOnly {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
X |
X |
X |
|
Specifies the ability to modify the database. The LDAP
server
BACKEND operator modify command can be used to change
the backend database to read/write or read-only mode while the LDAP
server is running. Any attempt to use the LDAP server to modify the
database fails if
readOnly is turned on.Note: - For GDBM, change log entries are not created and are not trimmed
(deleted) by the LDAP server when readOnly is on.
- When running in multi-server mode, the readOnly configuration
option is the same for all LDAP servers in the cross-system group
because any LDAP server can potentially handle update requests.
- For SDBM, readonly on does not prevent changing a RACF password during a bind operation,
using the currentvalue/newvalue format. However, it does prevent
changing the password by using a modify operation of the racfpassword attribute.
- When LDBM, TDBM, or CDBM is using native authentication, the RACF password can be changed during
bind even though readonly on is specified. The RACF password cannot be changed by using the
LDBM, TDBM, or CDBM native authentication modify of the userpassword attribute.
- If authenticating or comparing an LDBM, TDBM, or CDBM entry that
is subject to password policy in the LDAP server, readonly on does
not prevent the password policy operational attributes from being
updated in the entry.
Default = off
- referral ldap_URL
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the referral to pass back when the target of a client request is not
included in any suffix within the LDAP server. It is also known as
the default referral. The referral option can appear
multiple times and lists equivalent servers. There is no required
format for the value, however the z/OS LDAP client can only follow a referral
value if it is in LDAP URL format. See page listen ldap_URL for
a description of LDAP URL format.
A default referral is not
returned to the client if the client request includes the manageDsaIT control.
See manageDsaIT for more information
about this control.
In the following example,
myldap.server.com is
the host name and
3389 is the port number of the
LDAP directory URL:
referral ldap://myldap.server.com:3389
In
the following example, the IPv6 address
5f1b:df00:ce3e:e200:20:800:2078:e3e3 is
the IP address and
389 is the port number of the
LDAP URL:
referral ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389
- schemaPath name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the name of the file directory containing the
LDAP schema database. A fully-qualified directory path must be specified.
When multi-server mode is active, the same schema path must be specified
for each LDAP server within the cross-system group. The schema database
file is automatically created during LDAP server initialization if
it does not exist. The LDAP server must have write access to the
schema directory. This configuration option also determines the directory
used by CDBM to store its data if the CDBM backend is configured and
the databaseDirectory configuration option is not specified
in the CDBM backend configuration section.
Default = /var/ldap/schema
- schemaReplaceByValue {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Determines the behavior of modify operations with replace
values of the schema entry. When schemaReplaceByValue off is
specified, a modify operation with replace values for an attribute
in the schema entry behaves like a typical modify operation: all the
values currently in the attribute are replaced by the values specified
in the modify operation. When schemaReplaceByValue on is specified,
individual values in an attribute in the schema entry can be replaced
without removing all the other values currently in the attribute.
Except in several specific cases, the values of the attribute that
are in the initial LDAP server schema cannot be changed or removed.
See Updating the schema for more information about modifying
the schema.
The schemaReplaceByValue configuration option
can be overridden on a specific modify operation by including the schemaReplaceByValueControl control
in the modify request.
Default = on
- secretEncryption {none | DES:keylabel | AES:keylabel}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Specifies the encryption method to use when storing the secretKey,
replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute
values in this backend. Applications might use the secretKey attribute
type to store sensitive data that must be encrypted in the directory
and to retrieve the data in clear text format. This encryption method
is used to protect the replicaCredentials attribute values
in this backend when basic replication is enabled. This encryption
method also protects the ibm-replicaKeyPwd and ibm-slapdMasterPw attribute
values in this backend when advanced replication is enabled.
- none
- Specifies no encryption. The secretKey, replicaCredentials,
ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute value
is stored in clear text format. The stored value is prefixed with
the tag {none}. This is the default if the secretEncryption option
is not specified. The attribute value without the tag is returned
for a search request.
- DES:keylabel
- The secretKey,
replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute
value is encrypted by the DES algorithm before it is stored in the
directory. The stored value is prefixed with the tag {DES:keylabel}.
The original value without the tag is returned for a search request.
The key label must refer to either a valid data-encrypting key generated
by the KGUP utility and stored in the ICSF CKDS or to an entry in
the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
- AES:keylabel
- The secretKey,
replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute
value is encrypted by the AES algorithm before it is stored in the
directory. The stored value is prefixed with the tag {AES:keylabel}.
The original value without the tag is returned for a search request.
The key label must refer to either a valid data-encrypting key generated
by the KGUP utility and stored in the ICSF CKDS or to an entry in
the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.
Default = none
- securePort num-port
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Note: The
securePort option
has been deprecated by the
listen option. See page
listen ldap_URL for information about the
listen option.
Specifies
the TCP/IP port used by the LDAP server for SSL communications. The
value must be in the range of 1 to 65535.
Default = 636
If
the serverSysplexGroup option is present in the configuration
file, the secure port number specified for this server instance must
be the same as the secure port number specified for all other members
of the sysplex group for dynamic workload balancing to function properly.
The
secure port number might be established in the configuration file,
or it might be established using the -s command-line parameter
when starting the LDAP server (see Setting up and running the LDAP server).
It
is advisable to reserve the port number chosen here in your TCP/IP
profile data set. Also, be aware that port numbers below 1024 might
require additional specifications. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for
further information.
- security {ssl | sslonly | none | nossl}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Note: The
security option has
been deprecated by the
listen option. See page
listen ldap_URL for information about the
listen option.
Specifies
what type of communications is accepted by the LDAP server. The ssl setting
indicates that the server listens on the secure port and the non-secure
port. The sslonly setting means that the server listens
only on the secure port. The none or nossl settings
indicate that the server listens only on the non-secure port. The sslKeyRingFile option
must also be specified when the ssl or sslonly settings
are used.
Default = none
- securityLabel {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Determines if the security label processing is activated
with bound LDAP clients. When on, the security labels associated
with the LDAP client and LDAP server are verified during the authentication
process. Security labels are recorded in all LDAP audit records. When off,
no security label processing is done.
Default = off
Use
this option when configuring the LDAP server in a multilevel security
environment. For more information about configuring a z/OS system for multilevel security and how
to configure an LDAP server in that environment, see z/OS Planning for Multilevel Security and the Common Criteria.
- sendV3stringsoverV2as {UTF-8 | ISO8859-1}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the output data format to use when sending UTF-8 information
over the LDAP Version 2 protocol.
Default = UTF-8
See UTF-8 data over the LDAP Version 2 protocol for more detailed information about the
use of this setting.
- serverCompatLevel {3 | 4 | 5 | 6 | 7}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the server compatibility level. This value can
be used to limit the functions supported by the server so that the
server can be compatible with older versions of LDAP servers when
they are sharing directory data in a sysplex group. To produce consistent
results, all the LDAP servers in the same sysplex group name must
support the same functions. If fallback is required to a lower server
compatibility level than is currently being used, it is necessary
to remove all exploitation of function that is available at the current
compatibility level but not at the lower level. The server might
not start at the lower level until this is complete. If fallback is
necessary with a server that is using the TDBM or DB2-based GDBM backend,
see Fallback from a TDBM or DB2-based GDBM backend in z/OS IBM TDS to an earlier z/OS IBM TDS version for fallback procedures.
Note: If
there are DB2-based backends configured in the LDAP server, the serverCompatLevel value
also sets the DB_VERSION value in the DB2 DIR_MISC
table for the backend. The DB_VERSION value is queried at LDAP server
initialization to verify that the DB2-based backend is running on
a supported level for the z/OS release.
Therefore, it is especially important to set this value appropriately
when running in multi-server mode and sharing DB2-based backends to
the earliest z/OS LDAP server
release that is to be shared.
The
serverCompatLevel values
are:
- 3 - This value limits the sharing of data in a sysplex
to TDBM backends, DB2-based GDBM backends, and schema. Basic replication
is supported from (but not into) the sysplex. Dynamic and nested groups
are supported, as is schema replace by value. Specify this value when
a z/OS Integrated Security
Services (ISS) LDAP server is running in the sysplex.
- 4 - This value enables cross-system coupling facility (XCF)
messaging support for TDBM and DB2-based GDBM backends in the sysplex
group and supports basic replication from and into the sysplex.
Note: When
the schema, LDBM, and file-based GDBM backends are shared in a sysplex,
XCF messaging is used to communicate between the LDAP servers in the
same sysplex group no matter the serverCompatLevel setting.
Specify
this value when the sysplex group contains a z/OS IBM TDS
server running on z/OS V1R10
or earlier and there are no ISS LDAP servers in the sysplex.
- 5 - This value enables advanced replication and allows
the CDBM backend to be configured. Schema and all backends can be
shared in the sysplex. Specify this value when the sysplex group only
contains z/OS IBM TDS servers running on z/OS V1R11 or later.
- 6 - This value enables ACL filters, password policy, Salted
SHA (SSHA) password hashing, and usage of additional schema syntaxes
and matching rules. Specify this value when the sysplex group only
contains z/OS IBM TDS servers running on z/OS V1R12 or later.
- 7 - This value enables usage of group search limits, administrative
roles, and hashing userPassword attribute values using the
SHA-2 and Salted SHA-2 algorithms. It also supports hashing and encrypting ibm-slapdAdminPw attribute
values using the same algorithms as for userPassword attribute
values. Specify this value when the sysplex group only contains z/OS IBM TDS
servers running on z/OS V1R13
or later.
Default = 7 if not running in a sysplex (the serverSysplexGroup
configuration option is not specified).
Default = 4 if
running in a sysplex (the serverSysplexGroup configuration
option is specified)
- serverEtherAddr mac_address
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the Media Access Control (MAC) address used
for entry UUID generation. This value must be unique for all LDAP
servers in your enterprise. You must specify the MAC address if multiple
LDAP servers run on a (hardware) system. This applies if your LDAP
servers are on different LPARs and also if two LDAP servers are on
the same LPAR. You do not need to specify this field if this is the
only LDAP server that runs on this (hardware) system.
The MAC
address consists of 12 hexadecimal digits. The suggested form of the mac_address is:
4xmmmmssssss
Where:
- x
- Is a one-character LDAP directory number. If more than one LDAP
server is operating on a processor, specify a different x value
for each server. If more than 16 LDAP servers are wanted, then use
a serial number and model number from a processor that is not running
an LDAP server. If another processor is not available, then set the x, mmmm,
and ssssss values from the MAC address on an old Ethernet card
that is no longer being used or not used to run an LDAP server.
- mmmm
- Is the four-digit model number of the processor.
- ssssss
- Is the six-digit serial number of the processor.
It is not necessary to follow this convention if
you specify the serverEtherAddr option for all LDAP servers
in your enterprise. In this case, you can specify any combination
of 12 hexadecimal digits if each LDAP server has a unique value.
Following
is an example:
serverEtherAddr 4A123401234D
Default
= The LDAP server uses the hardware model and serial numbers to generate
a MAC address.
- serverKrbPrinc kerberosIdentity
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the Kerberos principal name assigned to the LDAP
server that was created in
Defining the Kerberos identity. This
value becomes the server name in Kerberos service tickets. The principal
name must consist of characters that can be represented in the ISO8859-1
code page. The format for
kerberosIdentity is:
ldap_prefix/primary-dns-name@krbRealmName
Where
- ldap_prefix
- Is ldap or LDAP. Use ldap to
assure interoperability with all LDAP clients. LDAP is
accepted, but this value is not usable with many non-z/OS LDAP clients.
- primary-dns-name
- Is the canonical host name returned by the DNS name service.
- krbRealmName
- Is the Kerberos defined realm that the LDAP server operates. For
more information about setting up a Kerberos realm on z/OS, see z/OS Integrated Security Services Network Authentication Service Administration.
Following are examples:
serverKrbPrinc LDAP/myhost.realm.com@MYREALM.COM
serverKrbPrinc ldap/myhost.myrealm.com@MYREALM.COM
Default
= ldap/primary-dns-hostname@default-krbRealmName
- serverName string
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
|
|
X |
|
|
Specifies
the name of the DB2 server location
that manages the tables for the LDAP server. This value must match
the name of one of the DATA SOURCE stanzas that must
be specified in the ODBC initialization data set that is specified
by the dsnaoini option in the configuration file.
See the DB2 information
in IBM Information Management
Software for z/OS Solutions Information Center for a description
of the DSNAOINI ODBC initialization data set contents. Using the example
DSNAOINI file in Figure 1 the
value of string for serverName is LOC1.
If the serverName configuration option is specified
for a backend, the option must also be specified, with the same value,
for all the TDBM and DB2-based GDBM backends in the configuration
file.
Default = The default data source is used. This is the DB2 subsystem specified by the MVSDEFAULTSSID
record in the DSNAOINI file.
- serverSysplexGroup name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies that this LDAP server is participating in data
sharing in a sysplex and indicates the name of the cross-system coupling
facility (XCF) group. All LDAP servers in the sysplex that specify
the same group name share the LDAP server schema and the directories
of backends that specify the multiserver on option. The group
name is 1-8 characters and consists of letters (A-Z), numbers (0-9),
and special characters (@, #, and $). The special characters must
be in the IBM-1047 code page.
- sizeLimit num-limit
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
X |
X |
X |
X |
X |
|
Specifies the maximum number of entries to return from
a search operation. The maximum number can be modified on a specific
search request as described below.
Range = 0 - 2147483647
0
= no limit
Default = 500
This option applies to all backends,
except EXOP, unless specifically overridden in a backend definition
or in group search limits. Specifying this before a database line
in the configuration file sets the option for all backends, except
EXOP. Specifying it after a database line sets the option
just for the backend defined by the database line. Specifying
a size limit using group search limits sets the limit only for the
members of that group. See Managing group search limits for
more information about group search limits.
A limit on the number
of entries returned can also be specified by the client on a search
request. Note that the following behavior is used when determining
the size limit for a search request.
- If the client has not bound as an administrator:
- If a group search size limit exists for the requester, then the
size used to limit the search is the smaller of the size limit passed
by the client and the group search size limit. If the client does
not specify a size limit on the search, then the group search size
limit is used.
- If a group search size limit does not exist for the requester,
then the size used to limit the search is the smaller than the size
limit passed by the client and the size limit read by the server from
the sizeLimit configuration option in the configuration file
(which defaults to 500). If the client does not specify a size limit,
then the server size limit is used.
- If the client has bound as an administrator, the size limit is
the value passed by the client. If the client does not specify a limit,
then the number of entries returned is unlimited. The size limits
from the configuration file and from group search limits are ignored
when the client has bound as an administrator.
When accessing the z/OS LDAP
server support for RACF (the
SDBM backend), the number of entries returned may be further restricted
by limits imposed by RACF.
See
Accessing RACF information for more information:
- The limit is the smaller of the limit passed by the client and
the limit read by the server from the sizeLimit option in the
configuration file (which defaults to 500). If the client does not
specify a limit, then the server limit is used. It does not matter
how the client has bound.
- The number of entries returned might be further restricted by
limits imposed by RACF. See Accessing RACF information for more information.
There are additional considerations for size limit when
performing a subtree search from the root DSE (a NULL-based search).
See Root DSE search with subtree scope (Null-based subtree search) for more information.
- srvStartUpError {terminate | ignore}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies whether the LDAP server stops if a backend or
plug-in fails to initialize after the configuration file is read.
If terminate, the server ends when any backend or plug-in
fails to initialize. If ignore, the LDAP server continues
processing if the schema successfully initializes. The option also
applies to failures when initializing the LDAP PC callable support
interface if that has been configured and initializing WLM support.
Note a configuration error that occurs before backend or plug-in initialization
begins always causes the server to end.
Default = terminate
- sslAuth {serverAuth | serverClientAuth}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the SSL/TLS authentication method. The serverAuth method
allows the LDAP client to validate the LDAP server on the initial
contact between the client and the server.
The serverClientAuth method
allows the LDAP client to validate the LDAP server. In addition, the
LDAP server validates the LDAP client if the client sends its digital
certificate on the initial contact between the client and the server.
Note: In
order for clients to perform SASL EXTERNAL binds to the LDAP
server, it is necessary to configure the server with sslAuth serverClientAuth.
See Setting up for SSL/TLS for more SSL/TLS information.
Default
= serverAuth
- sslCertificate {certificateLabel | none}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the label of the certificate that is used for LDAP server authentication.
If using a key database file, the certificate is created and managed
using the gskkyman utility. If using a RACF key ring, the certificate is created and
managed using the RACDCERT command. If using a PKCS #11 token,
the certificate can be created and managed by using either the gskkyman utility
or the RACDCERT command. See z/OS Cryptographic Services System SSL Programming for
details on using the gskkyman utility or z/OS Security Server RACF Command Language Reference for
details on using the RACDCERT command. See Setting up for SSL/TLS for more SSL/TLS information.
Default
= none
If the value is none (by default or by
specification), the default certificate, marked in the key database
file, the RACF key ring, or
the PKCS #11 token, is used for server authentication.
- sslCipherSpecs {string | GSK_V3_CIPHER_SPECS_EXPANDED
| ANY}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the SSL Version 3.0 and TLS Version 1.0 cipher
specifications that the LDAP server accepts from clients. Use of this
option to specify the specific cipher suites is limited, and provided
only for compatibility with earlier versions. It supports only a
portion of the cipher suites available in z/OS System SSL, contains no 4-character cipher
suites, and provides no order of preference. The preferred approach
is to set the option to GSK_V3_CIPHER_SPECS_EXPANDED and then set
the environment variable GSK_V3_CIPHER_SPECS_EXPANDED to the list
of 4-character cipher specifications you want, in order of preference.
If the cipher specifications you want are included in Table 1 and if the order of preference
matches the default order that is provided by z/OS System SSL, then the sslCipherSpecs option
may be used with any of the values that are described.
In
this case, the cipher specification is a blank delimited string that
represents an ORed bit-mask indicating the SSL/TLS cipher specifications
that are accepted from clients. Clients that support any of the specified
cipher specifications are able to establish an SSL/TLS connection
with the server. Table 1 lists
the CipherSpec mask values and the related decimal, hexadecimal, and
keyword values. See z/OS Cryptographic Services System SSL Programming for
a description of supported cipher specifications.
The cipher
specification might be specified as follows:
- A decimal value (for example, 256)
- A hexadecimal value (for example, x100)
- A keyword (for example, TRIPLE_DES_SHA_US)
- A construct of those values using plus and minus signs to indicate
inclusion or exclusion of a value. For example,
- 256+512 is the same as specifying 768,
or x100+x200, or TRIPLE_DES_SHA_US+DES_SHA_EXPORT
- 52992 is the same as specifying ALL-RC2_MD5_EXPORT-RC4_MD5_EXPORT
Depending upon the level of System SSL support installed,
some ciphers might not be supported. System SSL ignores the unsupported
ciphers. Consult the System SSL documentation to determine the specific
ciphers that your installation supports.
See Setting up for SSL/TLS for more SSL/TLS information.
Default
= ANY
- sslKeyRingFile name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the path
and file name of the SSL/TLS key database file, the name of the RACF key ring, or the name of the
PKCS #11 token to be used by the LDAP server. SSL/TLS connections
are not available if this option is not specified.
When using
a key database file, the file path and name specified here must match
the path and name of the key database file that was created using
the gskkyman utility (see z/OS Cryptographic Services System SSL Programming).
Also, see Setting up for SSL/TLS for more SSL/TLS information.
The
LDAP server supports the use of a RACF key
ring. Specify the RACF key
ring name for the sslKeyRingFile and comment out
the sslKeyRingFilePW and sslKeyRingPWStashFile configuration
options to use this support.
The LDAP server also supports
the use of a PKCS #11 token. Specify the PKCS #11 token on the sslKeyRingFile configuration
option in the following format (where NAME is
the name of the PKCS #11 token): *TOKEN*/NAME.
Ensure that the sslKeyRingFilePW and sslKeyRingPWStashFile configuration
options are commented out to use this support.
See Creating and using key databases, key rings, or PKCS #11 tokens for more information.
- sslKeyRingFilePW string
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
the password protecting access to the SSL/TLS key database file. The
password string must match the password to the key database file that
was created using the gskkyman utility (see z/OS Cryptographic Services System SSL Programming).
Also, see Setting up for SSL/TLS for more SSL/TLS information.
Note: Use
of the sslKeyRingFilePW configuration option is
discouraged. As an alternative, use either a RACF key ring, a PKCS #11 token, or specify
the sslKeyRingPWStashFile configuration option.
Comment
out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration
options if you are using a RACF key
ring or PKCS #11 token.
- sslKeyRingPWStashFile name
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies a file system file
name where the password for the servers key database file is stashed.
Use the full path name of the stash file in the file system for name.
If
this option is present, then the password from this stash file overrides
the sslKeyRingFilePW configuration option, if present.
Use the gskkyman utility with the -s option
to create a key database password stash file. See Setting up for SSL/TLS for more SSL/TLS information.
Comment
out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration
options if you are using a RACF key
ring or PKCS #11 token.
- sslMapCertificate {off | check | add | replace} {fail | ignore}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the server maps a certificate used in a SASL
EXTERNAL bind to the RACF user
that is associated with the certificate.
When check, add,
or replace is specified for the first value, RACF is searched for the user ID associated
with the certificate used during a SASL certificate bind. The sslKeyRingFile configuration
option must be specified to indicate which key database, RACF key ring, or PKCS #11 token to use to do
this. If there is no RACF user
ID associated with the certificate and fail is specified for
the second value, then the SASL EXTERNAL bind fails. If there
is no associated RACF user
ID and ignore is specified for the second value, the bind continues
without mapping the certificate to a RACF user.
If
an associated RACF user ID
is found and add or replace is specified for the first
value, a distinguished name (DN) is created based on the user ID and
the SDBM suffix. For add, this mapped DN is added to the list
of DNs associated with the bind DN that was created from the subject's
name in the certificate. For replace, this mapped DN replaces
the bind DN that was created from the subject's name in the certificate.
The mapped DN is used when gathering the groups in which the bound
user exists and when checking authorization for LDAP operations, including
SDBM operations. SDBM must be configured when add or replace is
specified.
When off is specified for the first value, RACF is not searched for the user
ID associated with the certificate and no certificate mapping is performed.
In this case, it does not matter what the second value is (fail or ignore).
Default
= off fail
- suffix dn_suffix
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
X |
|
|
|
Denotes the distinguished name of the root of a subtree
in the namespace managed by this backend within the LDAP server. This
option might be specified more than once to indicate all the roots
of the subtrees within this backend except for the SDBM backend. The
SDBM backend must have only one suffix. Note a suffix cannot be specified
for the GDBM, CDBM, and EXOP backends. When the GDBM backend is configured,
the cn=changelog suffix is reserved. When the CDBM
backend is configured, the cn=configuration and cn=ibmpolicies suffixes
are reserved.
Identical and overlapping suffixes cannot be specified
in the LDAP server configuration file, even if the suffixes are within
different backends. These suffixes create confusion and can result
in unexpected results. An example of overlapping suffixes is:
suffix ou=Server Group, o=IBM
suffix o=IBM
See Specifying a value for a distinguished name for
information about specifying special characters and restrictions on
attributes in the suffix.
- supportKrb5 {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies if the LDAP server participates
in Kerberos GSS API Authentication. If it participates, then Kerberos
GSS API binds are accepted and information is stored in the servers
root DSE.
Default = off
- tcpTerminate {terminate | recover}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies whether the LDAP server ends when network interfaces
are not active. The LDAP server periodically polls the network interfaces
it is using to determine when they go down and come back up. If an
interface fails but the LDAP server still has at least one active
interface, the server continues processing and reestablishes a failed
interface when it detects that it has become active. If all interfaces
fail and tcpTerminate terminate is specified, the LDAP server
ends. If tcpTerminate recover is specified, then the LDAP
server remains active and attempts to reestablish network interfaces
when it detects they have become active. All client operations targeted
to the LDAP server fail until a network interface can be reconnected.
The frequency of polling can be set using the LDAP_NETWORK_POLL environment
variable. See Environment variables used by the LDAP server for more information.
The tcpTerminate option
is also used to determine whether the LDAP server ends if SSL or Kerberos
initialization fails during server initialization. If terminate is
specified, the LDAP server ends. If recover is specified, the
LDAP server continues initialization, but the failed interface (SSL
or Kerberos) cannot be used until the error is fixed and the LDAP
server is restarted.
Default = recover
- timeLimit num-seconds
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
X |
X |
X |
X |
X |
|
Specifies the maximum number of seconds (in real time)
the LDAP server spends answering a search request. This maximum
number can be modified on a specific search request as described below. If
a request cannot be processed within this time, a result indicating
an exceeded time limit is returned.
Range = 0 - 2147483647
0
= no limit
Default = 3600
This option applies to all backends,
except EXOP, unless specifically overridden in a backend definition
or in group search limits. Specifying this before a database line
in the configuration file sets the option for all backends, except
EXOP. Specifying it after a database line sets the option
just for the backend defined by the database line. Specifying
a time limit using group search limits sets the limit only for the
members of that group. See Managing group search limits for
more information about group search limits.
A limit on the amount
of time can also be specified by the client on a search request. Note
the following behavior is used when determining the time limit for
a search request.
- If the client has not bound as an administrator:
- If a group search time limit exists for the requester, then the
time used to limit the search is the smaller of the time limit passed
by the client and the group search time limit. If the client does
not specify a time limit on the search, then the group search time
limit is used.
- If a group search time limit does not exist for the requester,
then the time used to limit the search is the smaller than the time
limit passed by the client and the time limit read by the server from
the timeLimit configuration option in the configuration file
(which defaults to 500). If the client does not specify a time limit,
then the server time limit is used.
- If the client has bound as an administrator, the time limit is
the value passed by the client. If the client does not specify a limit,
then the amount of time is unlimited. The time limits from the configuration
file and from group search limits are ignored when the client has
bound as an administrator.
When accessing the z/OS LDAP
server support for RACF (the
SDBM backend):
- The limit is the smaller of the limit passed by the client and
the limit read by the server from the timeLimit option in the
configuration file (which defaults to 3600). If the client does
not specify a limit, then the server limit is used. It does not matter
how the client has bound.
There are additional considerations for time limit when
performing a subtree search from the root DSE (a NULL-based search).
See Root DSE search with subtree scope (Null-based subtree search) for more information.
- useAdvancedReplication {on | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
|
|
|
|
X |
|
Specifies if the LDAP server supports advanced replication.
If advanced replication is active, then the
masterServer, masterServerDN,
masterServerPW, peerServer, peerServerDN, and
peerServerPW configuration
options cannot be specified in any LDBM, TDBM, or CDBM backends.
Note: - The LDAP server does not start when useAdvancedReplication
on is specified and entries with an objectclass of replicaObject are
present in a TDBM, LDBM, or CDBM backend. If entries with an objectclass
of replicaObject are attempted to be added or modified in this
configuration, the add or modify request is rejected.
- The LDAP server does not start when useAdvancedReplication
off is specified and entries with an objectclass of ibm-replicationAgreement,
ibm-replicationContext, ibm-replicationGroup, or ibm-replicationSubEntry are
present in a TDBM, LDBM, or CDBM backend. If entries with these objectclass
values are attempted to be added or modified in this configuration,
the add or modify request is rejected.
See Advanced replication for additional
information about advanced replication.
The server compatibility
level must be at least 5 when useAdvancedReplication on is
specified. See the serverCompatLevel configuration option on
page serverCompatLevel {3 | 4 | 5 | 6 | 7} for more information about
the server compatibility level.
Default = off
- useNativeAuth {selected | all | off}
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
|
X |
X |
|
|
X |
|
Enables native authentication in the backend. If the value
is:
- selected, only entries with the ibm-nativeId attribute
that are within the native subtrees (see nativeAuthSubtree option
at nativeAuthSubtree {all | dn}) use native authentication.
- all, all entries within native subtrees use native authentication.
These entries can contain the ibm-nativeId or uid attribute
to specify the RACF ID.
- off, no entries participate in native authentication.
Note: z/OS LDAP password
policy does not apply to entries participating in native authentication.
Default
= off
- validateincomingV2strings {on | off }
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies
whether the incoming strings are validated. If set to on,
this setting limits the format of incoming string data sent over the
LDAP Version 2 protocol to the IA5 character set (X'00'-X'7F' or
"7-bit ASCII"). With this setting, textual data received on operations
outside of the IA5 character set causes the operations to fail with LDAP_PROTOCOL_ERROR.
Default
= on
Note while supported, it is suggested not to run
with this data filtering disabled.
- wlmExcept name [IP_address] [dn]
Global |
TDBM |
LDBM |
SDBM |
GDBM |
CDBM |
EXOP |
---|
X |
|
|
|
|
|
|
Specifies the Workload Manager (WLM) transaction name used
for client requests originating from an IP address or a bound user's
distinguished name (DN). The
wlmExecpt configuration option
can be specified multiple times to allow the routing of different
LDAP client requests to the same or different WLM transaction names.
The order of the
wlmExcept configuration options in the LDAP
server configuration file determines the order the LDAP server uses
to match incoming client requests and route them to the WLM transaction
name. During LDAP server initialization, a WLM enclave is created
for each unique name. See
Workload manager (WLM) for more
information about configuring the LDAP server to use WLM.
- name
- Specifies the WLM transaction name used for this enclave. The
name must be 1-8 characters long and can consist of letters, numbers,
and the special characters '$', '#', or '@'. The WLM transaction name
must be configured in WLM. Multiple wlmExcept configuration
options with the same name use the same enclave.
- IP_address
- Specifies the client's IPv4 or IPv6 address to be associated with
this WLM enclave.
- dn
- Specifies the bind user's distinguished name to be associated
with this WLM enclave. For information about specifying a value
for a distinguished name for this option, see Specifying a value for a distinguished name.
Note: - If both the IP_address and dn values are not specified
with the wlmExcept configuration option, a WLM enclave is created
with the transaction value name. However, the enclave is not
associated with any client requests until a WLMEXCEPT modify command
is issued.
- If both IP_address and dn are specified, only incoming
client requests originating from that IP_address and bound
as the dn are routed to the WLM transaction name specified.
Default = GENERAL
By default, the
WLM transaction name, GENERAL, is used by the LDAP server for
client requests originating from IP addresses or bind distinguished
names not specified on wlmExcept configuration options. WLM
transaction name GENERAL must be configured in WLM. See z/OS MVS Planning: Workload Management for
more information about configuring WLM.