Specifies the maximum number of entries to store in the ACL Source cache. This cache holds information regarding ACL definitions within the database. Retrieval of information from this cache avoids database read operations when resolving access permissions.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 100

The distinguished name (DN) of the root administrator for this LDAP server. Typically, this DN has unrestricted access to all entries in the directory except for entries in backends that are read-only replicas. When the LDAP server is in maintenance mode, the LDAP root administrator has unrestricted access to all entries in the directory. Select a name that is descriptive of the person that knows and administers the LDAP server. The format of the name must be in DN format that is described in Data model. You might want the DN to have the same suffix as one of the suffix option values in the configuration file.

Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up this root administrator DN. Additional root administrators can be defined using the administrative group and assigning the root administrator role. See Administrative group and roles for more information.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

The password of the root administrator (adminDN) for this server.

Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your administrator password.

Specifies whether an LDAP client can perform unauthenticated operations on the LDAP server. If off, clients must explicitly bind to the server with a distinguished name. If on, a client might access the server without binding with a distinguished name and has access to data as a member of the cn=anybody group. See Using access control for more information about access control of directory data.

Default = on

Specifies an equivalent server to this LDAP server. It might not be a replica, but contains the same naming contexts. There is no required format for the value, however, LDAP URL format is most commonly used and supported by LDAP clients. See page listen ldap_URL for a description of LDAP URL format. The option might be specified multiple times to define more than one alternate server. The alternate servers are placed in the altServer attribute in the root DSE and can be queried by LDAP clients to determine other servers that might be contacted in case this server is not available at some later time.

altServer ldap://myldap.server.com:3389

5f1b:df00:ce3e:e200:20:800:2078:e3e3 

altServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389

Specifies the name that the LDAP server uses when registering with the Automatic Restart Management (ARM) service. The name is 1-7 characters and can consist of letters, numbers, and the special characters '$ # @ _'. Lowercase letters are converted to uppercase. The first character might be a number. The system name is appended to form the element name. The armName configuration option must be specified if there are multiple instances of the LDAP server on the same system and ARM processing is enabled. See z/OS MVS Setting Up a Sysplex for more information about automatic restart manager.

armName LDAP1

The LDAP server registers with ARM using the element name formed from the armName configuration option, an element type of SYSLDAP, an element bind of CURJOB, and a termination type of ELEMTERM. See the description of the IXCARM macro in z/OS MVS Programming: Sysplex Services Reference for more information about these parameters and how to override them using the current ARM policy.

Default = GLDSRVR

For TDBM, specifies the number of attribute values required to store the attribute values in a long attribute value table. The choice of this value allows large multi-valued attributes such as group membership lists to be stored in a separate table with its own index.

For LDBM and CDBM, specifies the number of attribute values required to store the attribute values in an internal indexed table, providing quicker access to the values of large multi-valued attributes such as group membership lists.

The value must be either 0 or in the range 64 to 2147483647. A value of 0 disables attribute overflow based on the attribute value count.

Default = 512

Specifies, in bytes, the minimum size of an attribute value required to store the value in a long attribute value table. The choice of this value allows large attribute values (such as JPEG and GIF files) to be stored in a separate DB2® table in a separate DB2 table space. The maximum size of this value is 2147483647. A value of 0 disables attribute overflow based on attribute size.

Default = 255

Turns LDAP auditing on or off and specifies which operations are to be audited and the associated audit level. When auditing is on, an LDAP SMF type 83 subtype 3 audit record is generated for an operation if the operation is specified on an audit option and the operation result matches the audit level.

This option can be specified multiple times, once to turn auditing on or off and once or more times for each audit level to specify the operations to audit for that level. Multiple operations can be specified for a level by either putting a + between them on the audit option or by specifying multiple audit options with the same level.

The supported values for operations can be one or more of: add, bind, compare, connect, delete, disconnect, exop, modify, modifydn, search, unbind.

If an operation is specified in more than one level, the last level is used for the operation. If an operation is not specified in any level, the level defaults to none for that operation.

The LDAP server AUDIT operator modify command can be used to change the audit settings and to turn audit on or off while the LDAP server is running. See LDAP server operator commands for more information.

Default = off

audit error,modify+search+bind
audit all,add
audit on

Turns change logging on or off.

When change logging is on, all change logging operations are allowed. When change logging is off, change log entries can be searched, modified, and deleted, but no new change log entries can be created and no automatic trimming of the change log is performed.

Default = on

Allows/disallows change logging for changes made to entries in this backend. When specified in GDBM, changeLoggingParticipant controls the logging of modifications to the LDAP server schema entry.

Default = on

Specifies the maximum age in seconds of an entry in the change log. Change log entries are deleted when they have been in the change log longer than this value, except if changeLogging off is specified. The value must be between 0 and 2147483647. A value of 0 indicates that there is no maximum.

Default = 0

Specifies the maximum number of entries that the change log can contain. If the number of change log entries exceeds this value and changeLogging off is not specified, change log entries with the lowest change numbers are deleted. If the change log is DB2-based, change log entries are deleted until the number of remaining entries is 95% of the maximum. If the change log is file-based, change log entries are deleted until the number of remaining entries is the maximum. The value must be between 0 and 2147483647. A value of 0 indicates that there is no maximum.

Default = 0

Specifies the maximum number of entries in the checkpoint file. An entry is added to the LDBM, CDBM, or file-based GDBM checkpoint file each time a directory entry is added, changed, deleted, or renamed. When the maximum number is reached, the entries in the checkpoint file are merged into the database file and the entries are removed from the checkpoint file. The value must be between 0 and 2147483647. A value of 0 indicates there is no maximum.

Default = 10000

Specifies a time of day at which the checkpoint file is merged into the database file. An entry is added to the LDBM, CDBM, or file-based GDBM checkpoint file each time a directory entry is added, changed, deleted, or renamed. Every day at the specified time, the entries in the checkpoint file are merged into the database file and the entries are removed from the checkpoint file. The value must be between 00:00 and 23:59. Specify a value outside this range to disable time of day checkpoint processing.

Default = 00:00

Specifies the number of threads to be initialized for the communication thread pool. This thread pool handles the connections between the LDAP server and its clients. You might want to have the commThreads set to approximately two times the number of processors that are running in your LPAR. However, this is a general rule depending upon the activity that your LDAP server experiences.

Default = 10

The commThreads option deprecates the maxThreads and waitingThreads options, that are no longer evaluated by the LDAP server.

Marks the beginning of a new database section. All global options must appear before the first database section. All options after the database option pertain to this backend until another database option is encountered.

• For dbtype:
  • Specify tdbm (DB2-based), ldbm (file-based), sdbm (RACF-based), gdbm (DB2-based or file-based), cdbm (file-based), or exop (extended operations).
    Notes:

    1. The server compatibility level must be at least 5 when the CDBM backend is configured. See page serverCompatLevel {3 | 4 | 5 | 6 | 7} for more information about the serverCompatLevel configuration option.
    2. The EXOP backend is deprecated.
• For dblibpath:
  • This is the file name of the shared library (DLL) containing the backend database code. Unless you have changed the names of the LDAP DLLs, specify GLDBTD31/GLDBTD64 when dbtype is tdbm, GLDBLD31/GLDBLD64 when dbtype is ldbm, GLDBSD31/GLDBSD64 when dbtype is sdbm, GLDBGD31/GLDBGD64 when dbtype is gdbm, GLDBCD31/GLDBCD64 when dbtype is cdbm, and GLDXPD31/GLDXPD64 when dbtype is exop.
    Notes:

    1. Both DLL names must be specified for dblibpath as shown above. For example, to use the SDBM backend, specify the following in the LDAP server configuration file:

       database sdbm GLDBSD31/GLDBSD64

    2. In the job log, the LDAP server writes the DLL name that is loaded by the LDAP server. For example, if the LDAP server is run in 31-bit mode with the SDBM backend enabled, the following is written to the job log:

       database sdbm GLDBSD31 SDBM-0003

       If the LDAP server is run in 64-bit mode with the SDBM backend enabled, the following is written to the job log:

       database sdbm GLDBSD64 SDBM-0003

• For name:
  • This value is a name that is used to identify this backend. You cannot specify schema, rootDSE, or Monitor as the name. A name is generated if no name is specified for a backend. However, a name must be specified if the multiserver on option is specified for this backend and the name must not be longer than 8 characters. In addition, when multi-server mode is active, the same name must be specified for each instance of the backend within the cross-system group.

Specifies the name of the directory containing the data files used by the backend to store directory data. A fully-qualified directory path must be specified. A unique directory must be specified for each backend. In addition, when multi-server mode is active, the same directory path must be specified for each instance of the backend within the cross-system group.

LDBM Default = /var/ldap/ldbm

GDBM Default = /var/ldap/gdbm

CDBM Default = /var/ldap/schema if schemaPath not specified, else schemaPath option setting

Specifies a z/OS user ID that is the owner of the DB2 tables. When specified in a GDBM backend section, this option indicates that the GDBM backend is DB2-based and not file-based.

Specifies the number of seconds the LDAP server waits before each DB2 connection retry attempt as a consequence of the initial DB2 connection failure.

During LDAP initialization, an initial attempt at establishing a DB2 connection is made if at least one DB2based backend is defined. If the connection attempt is unsuccessful and the LDAP server is set up to wait for DB2, the LDAP server retries the connection for a specified number of times, waiting for db2StartUpRetryInterval seconds before each retry attempt. While waiting for a connection to DB2, the LDAP server does not receive requests. The value must be between 1 and 999.

Default = 45

Specifies a limit of the number of DB2 connection retries the LDAP server attempts as a result of the initial DB2 connection failure.

During LDAP initialization, an initial attempt at establishing a DB2 connection is made if at least one DB2-based backend is defined. If the connection attempt is unsuccessful and db2StartUpRetryLimit has a non-zero value, the LDAP server retries the connection for the specified db2StartUpRetryLimit times, waiting for the specified db2StartUpRetryInterval number of seconds before each retry attempt. When the number of retry attempts equals db2StartUpRetryLimit and a connection to DB2 still cannot be established, all backends that require DB2 fail to configure. While waiting for a connection to DB2, the LDAP server does not receive requests. The value must be between 0 and 99. A value of 0 indicates that no DB2 connection retries are to be attempted.

Default = 0

Specifies how the LDAP server will react to a termination of DB2 after the server successfully starts.

If set to terminate, the LDAP server shuts down.

If set to recover or restore, the LDAP server disconnects from DB2 but remain running to allow access to non-DB2 backends (for example, SDBM, LDBM, CDBM, and file-based GDBM). When DB2 is once again active, the LDAP server reconnects to DB2. There is no access allowed to DB2-based backends (TDBM and DB2-based GDBM) during the time when DB2 is down. Client requests to those backend are rejected with LDAP_UNAVAILABLE return code and a reason code message that includes "DB2 Unavailable".

If using a sysplex distributor, this configuration option is set to terminate. This allows client requests to be routed to other LDAP servers in the sysplex who can connect to their databases.

Default = recover

Specifies a realm name to be used when doing DIGEST-MD5 or CRAM-MD5 SASL authentication binds to the LDAP server. The digestRealm is used to help calculate a hash for DIGEST-MD5 and CRAM-MD5 authentication binds. Make sure that the hostname is a DNS-host name and not an IP address.

Default = fully qualified host name of the LDAP server if a DNS (Domain Name Server) is active on the system. Otherwise, the default is the name of the host processor.

Specifies the maximum number of entries to store in the Distinguished Name normalization cache. This cache holds information related to the mapping of Distinguished Names between their raw form and their canonical form. Retrieval of information from this cache reduces processing required to locate entries in the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 1000

Specifies the maximum number of entries to store in the Distinguished Name to Entry Identifier mapping cache. This cache holds information related to the mapping of Distinguished Names in their canonical form and their Entry Identifier within the database. Retrieval of information from this cache avoids database read operations when locating entries within the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 1000

Specifies the name of the CLI Initialization file or sequential data set (or PDS member) you created in step 4 in Getting DB2 installed and set up for CLI and ODBC. This must be either a fully-qualified data set name, a DD name, or a path name. A data set name is not enclosed in quotation marks or prefixed with '//', a DD name starts with '//:', and a path name starts with '/' or './'.

Running the LDAP server using data sets gives more information about this process. See the DB2 information in IBM Information Management Software for z/OS Solutions Information Center for details on ways to specify the CLI initialization file. In order for the TDBM or GDBM backend to run, the initialization file must be specified in one of the ways indicated.

Specifies whether the SDBM backend supports operations on RACF® resources and classes. If on, SDBM accepts operations for the setropts, class, and resource profile entries. LDAP also accepts requests for creating a change log entry for a change to a RACF resource profile. If off, an SDBM search from the suffix does not return these entries and operations (including a change log request) involving these entries are rejected.

Default = off

Specifies the maximum number of entries to store in the Entry cache. This cache holds information contained within individual entries in the database. Retrieval of information from this cache avoids database read operations when processing entries within the database.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 5000

Specifies the maximum number of entries to store in the entry owner cache. This cache holds information regarding ACL definitions within the database. Retrieval of information from this cache avoids database read operations when resolving access permissions.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Default = 100

Specifies whether a backend participates in extended group membership searching on a client bind request. If this option is on, group memberships are gathered from this backend during LDAP directory bind processing in addition to the backend in which the bind DN exists. If this option is off, group memberships are not gathered from this backend unless the bind DN exists in this backend.

See Associating DNs, access groups, and additional bind and directory entry access information with a bound user for information about group gathering after a successful bind.

The server control authenticateOnly is supported by the LDAP server so that a client can override both extendedGroupSearching and group membership gathering from the backend where the DN exists. See Supported server controls for more information.

This option applies only to the backend in which it is defined.

Default = off

Specifies whether the LDAP server ends when file system errors occur. If terminate, the LDAP server ends when a file system error is detected. If recover, the LDAP server continues processing, but the backend experiencing the file system error is set to read-only mode. No updates can be made to the directory controlled by this backend. When the problem is corrected, the backend can be reset to read/write mode using the LDAP server BACKEND operator modify command. See LDAP server operator commands for information about the LDAP server BACKEND modify command.

Default = recover

Specifies the maximum number of returned entries allowed in the result set of any individual search that is stored in the Search Filter cache. Search filters that match more than this number of entries are not added to the Search Filter cache. This option is useful for maintaining the effectiveness of the Search Filter cache and Entry cache. It can be used to prevent a few search requests with large result sets from dominating the contents of the Entry cache.

The value must be in the range of 1 to 250. This option is ignored when the filter cache is not in use.

Default = 100.

Specifies the maximum number of filters to store in the Search Filter cache. This cache holds information related to the mapping of search request inputs and the result set. Retrieval of information from this cache avoids database read operations when processing search requests. Individual search requests which return more entries than specified in the filterCacheBypassLimit option are not placed in the cache.

The maximum size of this value is 2147483647. A value of 0 indicates that the cache is not used.

Specifies the amount of time in seconds that the LDAP server waits for an idle connection or an idle paged search result set. When an idle connection times out, the client connection is dropped. When an idle paged search result set times out, the paged search result set is abandoned. Idle connections and idle paged search result sets are detected by the LDAP servers network monitor task, which checks for them every 30 seconds. Therefore, it is possible for an idle connection or idle paged search result set to remain active slightly longer than the idleConnectionTimeout value.

The value must be either 0 or between 30 and 2147483647. A value of 0 indicates that an idle connection or idle paged search results remains active indefinitely.

Default = 0 (indefinitely)

Suggested value = 1800 (30 minutes)

Specifies the path and file name of a file to be included as a part of the LDAP server configuration.

See Specifying a value for filename for information about specifying filename.

Note the LDAP server does not detect loop conditions in a set of included files. Configuration might encounter errors or fail if the same file is processed more than once. While nested include files are supported, including the same file in such a way as to form a loop condition is not supported.

If the system name is specified, the include file is processed only on that system. This allows the LDAP server configuration files to be shared by multiple servers where each server runs on a different z/OS® system. System-specific configuration information can then be placed in an include file that is processed only on the system that it applies.

Specifies if this backend participates in Kerberos identity mapping. If it participates, then the server attempts to map the Kerberos identity that performed the bind to DNs that exist in this backend. The mapped DNs are then used for access control.

Default = off

krbKeytab /home/users/u1/keytab

Default = no value

krbLDAPAdmin ibm-kn=LDAPAdmin@MYREALM.COM

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

Specifies, in LDAP URL format, the IP address (or host name) and the port number where the LDAP server listens to incoming client requests. This option might be specified more than once in the configuration file.

Note the listen value might be established in the configuration file, or it might be established using the -l command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

Default = The server listens on all available and active IPv4 addresses, using port 389. This is equivalent to ldap://:389.

{ldap:// | ldaps://}[IP_address | hostname | INADDR_ANY | in6addr_any][:portNumber]

ldap://:pc

Following are some examples of how you can specify ldap_URL.

• If you specify:

  ldap://

  the LDAP server binds and listens on all active and available IPv4 addresses on the system on the nonsecure default port of 389 for incoming client requests. Note this is not the same as ldap://INADDR_ANY, which listens specifically on the INADDR_ANY interface on the nonsecure default port of 389, or the ldap://in6addr_any, which listens specifically on the in6addr_any interface on the nonsecure default port of 389.
• If you specify:

  ldap://us.endicott.ibm.com:489

  the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses associated with the host name us.endicott.ibm.com on the nonsecure port of 489 for incoming client requests.
• If you specify:

  ldap://9.130.77.27

  the LDAP server binds and listens on IPv4 address 9.130.77.27 on the default nonsecure port of 389 for incoming client requests.
• If you specify:

  ldaps://us.endicott.ibm.com

  the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses associated with the host name us.endicott.ibm.com on the default secure port of 636 for incoming client requests.
• If you specify:

  ldaps://9.130.77.27:736

  the LDAP server binds and listens on IPv4 address 9.130.77.27 on the secure port of 736 for incoming client requests.
• If you specify:

  ldap://:489

  the LDAP server binds and listens on all active and available IPv4 addresses on the system on the nonsecure port of 489 for incoming client requests. Note that this is not the same as ldap://INADDR_ANY:489, which listens specifically on the INADDR_ANY interface on the nonsecure port of 489, or ldap://in6addr_any:489, which listens specifically on the in6addr_any interface on the nonsecure port of 489.
• If you specify:

  ldaps://:777

  the LDAP server binds and listens on all active and available IPv4 addresses on the system on the secure port of 777 for incoming client requests. Note that this is not the same as ldaps://INADDR_ANY:777, which listens specifically on the INADDR_ANY interface on the secure port of 777, or ldaps://in6addr_any:777, which listens specifically on the in6addr_any interface on the secure port of 777.
• If you specify:

  ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389

  the LDAP server binds and listens on the IPv6 address 5f1b:df00:ce3e:e200:20:800:2078:e3e3 on the nonsecure port of 389 for incoming client requests.
• If you specify:

  ldaps://[::ffff:9.130.77.75]:777

  the LDAP server binds and listens on the IPv4 mapped IPv6 address ::ffff:9.130.77.75 on the secure port of 777 for incoming client requests.
• If you specify:

  ldap://[::]

  the LDAP server binds and listens on all active and available IPv4 and IPv6 addresses on the system on the nonsecure default port of 389 for incoming client requests. Note this is not the same as ldap://INADDR_ANY, which listens specifically on the INADDR_ANY interface on the nonsecure default port of 389, or ldap://in6addr_any, which listens specifically on the in6addr_any interface on the nonsecure default port of 389.
• If you specify:

  ldap://:pc

  the LDAP server binds and listens for PC calls from RACF change logging using the SAF interface in to the server.

Specifies the location of the file where the activity log is written when logging is enabled. See Activity logging for more information.

See Specifying a value for filename for information about specifying the filename.

Default = /etc/ldap/gldlog.output

Specifies a client IP address filter used to determine the activity that is included or excluded from being logged in the activity log file. Client requests originating from IP addresses allowed by the filter are written to the activity log file specified in the logfile configuration option.

The only supported activity log filters are ones using the ibm-filterIP attribute type to designate the client IPv4 addresses or IPv6 addresses with no brackets that are to be included or excluded from the activity log file. Host names and subnet masks are not supported in these filters. See Activity logging for more information.

Default = ibm-filterIP=*

Specifies the name of the z/OS UNIX System Services file system directory where the activity log files are archived or rolled over or the Generated Data Group (GDG) base data set. If a z/OS UNIX System Services file system directory is specified, it must be a fully-qualified directory path. This option is ignored if a sequential or partitioned data set is specified for the logfile configuration option. If the logfile configuration option specifies a file that exists in a z/OS UNIX System Services file system directory and this option is not specified, the archived or rolled over activity log file is kept in the same directory. See Activity logging for more information about activity log archiving or roll over.

Default = Directory specified by the logfile configuration option

Specifies the maximum size in bytes of the activity log file. When the maximum size is reached, the activity log file is rolled over or archived. The value nnn must be between 0 and 2147483647 and can be followed by a K, M, or G to indicate kilobytes, megabytes, or gigabytes, in that order. Specify 0 to disable activity log file archiving or roll over based on size. See Activity logging for more information about activity log archiving or roll over.

Default = 0

Specifies the time of day when the activity log file is archived or rolled over. Every day at the specified time, the current activity log file is rolled over or archived. The value must be between 00:00 and 23:59. Specify a value outside this range to disable activity log file archiving or roll over based on time of day. See Activity logging for more information about activity log archiving or roll over.

Default = 24:00

Specifies for this backend the location of this replicas master server for basic replication. There is no required format for the value, however the z/OS LDAP client can only follow a masterServer value if it is in LDAP URL format. See page listen ldap_URL for a description of LDAP URL format. The presence of this option indicates that this LDAP server is a basic replication read-only replica for this backend and receives updates from a master LDAP server. Any other update requests for this backend received directly by the LDAP server is redirected to the master server. You must also specify the masterServerDN option in this section of the configuration file. The master server must contain all the suffixes defined for this backend.

The masterServer option can be specified multiple times if there are multiple master servers. In this case, the LDAP client attempts to contact each server in the list until it is able to establish a connection with one of the servers.

The masterServer option indicates basic replication is configured for this backend section. Therefore, the masterServer configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

masterServer ldap://myldap.server.com:3389

masterServer ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389

Specifies the distinguished name (DN) can always make updates to this basic replication read-only replica backend. The value must be in DN format that is described in Data model. The presence of this option indicates that this LDAP server is a read-only replica for this backend and receives updates from a master LDAP server using the specified DN. The specified DN is a special entry that is only used when replicating to this read-only replica backend. The DN has unrestricted update, compare, and search access for all entries in the backend on this server, even if the LDAP server is in maintenance mode. When in maintenance mode, only this DN and an LDAP root administrator can access and update the entries in this backend. All other update operations for this backend received by the replica server are redirected to the master server. Care must be taken when updating this backend to ensure that the replica server remains synchronized with the master server.

You must also specify the masterServer option in this section of the configuration file. You cannot specify the peerServerDN option.

The masterServerDN option indicates basic replication is configured for this backend section. Therefore, the masterServerDN configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

You might want the DN to have the same suffix as one of the suffix option values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your master server DN.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

Specifies the password for the masterServerDN that can make updates for this backend. This option is only applicable for a basic replication read-only LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the master server password.

The masterServerPW option indicates basic replication is configured for this backend section. Therefore, the masterServerPW configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

Specifies the maximum number of concurrently connected clients that the LDAP server allows.

Range = 30 to 65535

Default = operating system maximum

The LDAP server limits the number of client connections by restricting the number of file and socket descriptors used by the LDAP server. Some of the descriptors are used by the LDAP server for its own file descriptors and passive socket descriptors. The value specified for this option takes into account that the server uses approximately 10 descriptors for internal functions and uses more depending upon the number of additional sockets used as passive sockets for connection attempts by clients.

Setting these limits too high can affect system performance by using too many resources and deprive other functions of their share of the same resources.

Indicates the operating mode that the LDAP server runs for this backend. Specifying on indicates the server runs in multi-server mode for this backend (see Determining operational mode). In multi-server mode, the LDAP server shares directory data with other instances of the LDAP server running within the sysplex. The serverSyplexGroup configuration option must also be specified when running in multi-server mode. Specifying off indicates the server runs in single-server mode for this backend.

Default = off

You can configure a backend to operate in single-server mode while another backend operates in multi-server mode except when GDBM or CDBM is configured. When CDBM or GDBM is configured, all TDBM, LDBM, GDBM, and CDBM backends must be configured to use the same operating mode.

Specifies the distinguished name of a subtree where all of its entries are eligible to participate in native authentication. This option can appear multiple times to specify all subtrees that use native authentication. If this option is omitted or is set to all, then the entire directory is subject to native authentication. This option is ignored if useNativeAuth selected or all is not specified.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

Default = all

When set to on or reset, enables native password or password phrase changes in the security server to occur through a modify request to the TDBM, LDBM, or CDBM backend if the useNativeAuth selected or all option is specified.

When set to reset, this option also allows a bind to the backend to succeed even if the specified native authentication password is expired, if the PasswordPolicy control is included in the bind request. After the bind, only the special delete-add modification of the bound user's userPassword attribute can be performed to reset the native authentication password. Once complete, other LDAP operations can be performed.

This option does not affect the ability to change a native password or password phrase during a bind operation.

Default = off

Specifies the search patterns monitored by the LDAP server. Operations monitor supports two types of search patterns, that are searchStats and searchIPStats. A searchStats pattern consists of the search parameters (search base, scope, filter, and attributes to be returned) and status (SUCCESS or FAILURE). A searchIPStats pattern consists of the same elements as in the searchStats pattern, but also includes the client IP address. If operations monitor is enabled, LDAP monitors search statistics for the types of search patterns that are configured. See Operations monitor for more information about operations monitor.

If set to ip, then only searchIPStats patterns are monitored. This option setting is useful in determining if there are any specific clients spamming the LDAP server.

If set to ipAny, then only searchStats patterns are monitored. This option is useful for evaluating the performance of search patterns.

If set to all, the operations monitor monitors both searchStats and searchIPStats patterns. Therefore, each search is included in two search patterns, one matching the searchStats pattern and one matching the searchIPStats pattern.

Default = ipAny

Specifies the maximum number of search patterns for which the operations monitor gathers statistics. The value must be between 0 and 2147483647. A value of 0 indicates that the operations monitor is turned off. When the operations monitor is turned off, the cn=operations,cn=monitor entry is not returned on a cn=monitor search.

Default = 1000

Specifies the amount of time in seconds that an idle connection remains valid over the LDAP PC (program call) callable interface. After the specified time, the PC connection is considered no longer in use and any resources associated with the connection are released. Idle connections are detected when the LDAP server receives a new PC connection or a request on an existing PC connection.

The value must be either 0 or between 30 and 2147483647. A value of 0 indicates that an idle connection remains indefinitely.

Default = 0 (indefinitely)

Suggested value = 0

Specifies the number of threads to be initialized to handle incoming program call (PC) calls using the z/OS SAF interface into the LDAP server. No threads are used if the program call interface is not active. The value must be in the range of 2 to 2147483647.

Default = 10

Specifies the distinguished name (DN) that can make updates to this basic replication peer replica backend. The value must be in DN format that is described in Data model. The presence of this option indicates that this LDAP server is a peer replica for this backend, and can receive updates from another peer LDAP server using the specified DN and processing updates received from clients. The specified DN is a special entry that is only used when replicating to this peer replica backend. The DN has unrestricted update, compare, and search access for all entries in the backend on this server, even if the LDAP server is in maintenance mode. When in maintenance mode, only this DN and an LDAP root administrator can access and update the entries in this backend.

Update operations for this backend received from you bound as peerServerDN (or as an LDAP root administrator when in maintenance mode) are performed on the local database and are not sent to any peer and read-only replica servers. When not in maintenance mode, all other update operations for this backend are performed on the local database and are sent to the other peer and read-only replica servers. Update operations from a peer or a master are never replicated. It does not matter if you are in maintenance mode or not. Updates made by an LDAP root administrator are replicated unless the server is in maintenance mode.

You cannot also specify the masterServerDN option in this section of the configuration file.

The peerServerDN option indicates basic peer-to-peer replication is configured for this backend section. Therefore, the peerServerDN configuration option cannot be specified if the useAdvancedReplication configuration option is set to on in the CDBM backend database section.

You might want the DN to have the same suffix as one of the suffix option values in the configuration file. Establishing the root administrator DN and basic replication replica server DN and passwords describes how to set up your peer replica DN.

For information about specifying a value for a distinguished name for this option, see Specifying a value for a distinguished name.

Specifies the password for the peerServerDN that can make updates for this backend. This option is only applicable for a basic replication peer replica LDAP server. See Establishing the root administrator DN and basic replication replica server DN and passwords for additional information about the peer server password.

Allows or disallows persistent search for changes made to entries in a backend. When off is specified, persistent search requests for this backend are rejected. See PersistentSearch for more information about persistent search.

Default = off

Specifies the TCP/IP port used by the LDAP server for non-SSL communications. The value must be in the range of 1 to 65535.

Default = 389

If the serverSysplexGroup option is present in the configuration file, the port number specified for this server instance must be the same as the port number specified for all other members of the sysplex group for dynamic workload balancing to function properly.

The port number might be established in the configuration file, or it might be established using the -p command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

It is advisable to reserve the port number chosen here in your TCP/IP profile data set. Also, be aware that port numbers below 1024 might require additional specifications. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for further information.

Specifies whether to use an EBCDIC version or a UTF-8 version of the crypt() algorithm to hash passwords when pwEncryption crypt is contained in this section of the configuration file. If on, the EBCDIC version of the crypt() algorithm is used. This is what the z/OS Integrated Security Services LDAP server used. If off, the UTF-8 version is used. Note ASCII is a subset of UTF-8. When sharing LDAP directory data between z/OS and an ASCII-based platform, specify pwCryptCompat off to ensure that the hashed value is the same on both platforms.

Default = on

Specifies what encryption or hashing method to use when storing the userPassword and ibm-slapdAdminPw attribute values in the backend of the directory.

none

Specifies no encryption. The userPassword and ibm-slapdAdminPw attribute values are stored in clear text format. The stored values are prefixed with the tag {none}. The original value, without the tag, is returned for a search request.

crypt

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the crypt() algorithm before they are stored in the directory. The stored values are prefixed with the tag {crypt}. There are two versions of the crypt() algorithm: an EBCDIC-based version and a UTF-8-based version. See the pwCryptCompat option and the notes below for information about selecting which version to use. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.

MD5

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the MD5 hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {MD5}. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.

SHA

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the SHA hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {SHA}. The original password value cannot be retrieved in clear text format. The tag and the hashed value are returned for a search request.

SSHA

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the Salted SHA (SSHA) hashing algorithm before they are stored in the directory. The stored values are prefixed with the tag {SSHA}. The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed and salt values are returned for a search request.

SHA224, SHA256, SHA384, SHA512

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the specified SHA-2 hashing algorithm before they are stored in the directory. The stored values are prefixed with the specified tag (for example, {SHA224}). The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed value are returned for a search request.

SSHA224, SSHA256, SSHA384, SSHA512

Specifies that userPassword and ibm-slapdAdminPw attribute values are hashed by the specified Salted SHA-2 hashing algorithm before they are stored in the directory. The stored values are prefixed with the specified tag (for example, {SSHA224}). The original password value cannot be retrieved in clear text format. The tag and the base64-encoded hashed and salt values are returned for a search request.

DES:keylabel

Specifies that userPassword and ibm-slapdAdminPw attribute values are encrypted by the DES algorithm before they are stored in the directory. The stored values are prefixed with the tag '{DES:keylabel}'. The original password value, without the tag, is returned for a search request. The key label must refer to either a valid data-encrypting key generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.

AES:keylabel

Specifies that userPassword and ibm-slapdAdminPw attribute values are encrypted by the AES algorithm using the specified key label before they are stored in the directory. The stored values are prefixed with the tag {AES:keylabel}. The original password value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.

Default = none

Specifies the format of MD5 and SHA hashed userPassword and ibm-slapdAdminPw attribute values when retrieved on a search operation. This option does not affect the retrieval of Salted SHA (SSHA), SHA-2, or Salted SHA-2 hashed userPassword and ibm-slapdAdminPw attribute values on a search operation.

If set to binary and a userPassword or ibm-slapdAdminPw attribute value is hashed in MD5 or SHA, the LDAP server returns the encryption tag (either {MD5} or {SHA}) in UTF-8 followed by the binary hash.

If set to base64 and a userPassword or ibm-slapdAdminPw attribute value is hashed in MD5 or SHA, the LDAP server returns the encryption tag (either {MD5} or {SHA}) in UTF-8 followed by the base64-encoded binary hash.

For an example of using this option, see One-way hashing formats.

Default = binary

Default = off

Specifies the referral to pass back when the target of a client request is not included in any suffix within the LDAP server. It is also known as the default referral. The referral option can appear multiple times and lists equivalent servers. There is no required format for the value, however the z/OS LDAP client can only follow a referral value if it is in LDAP URL format. See page listen ldap_URL for a description of LDAP URL format.

A default referral is not returned to the client if the client request includes the manageDsaIT control. See manageDsaIT for more information about this control.

referral ldap://myldap.server.com:3389

referral ldap://[5f1b:df00:ce3e:e200:20:800:2078:e3e3]:389

Specifies the name of the file directory containing the LDAP schema database. A fully-qualified directory path must be specified. When multi-server mode is active, the same schema path must be specified for each LDAP server within the cross-system group. The schema database file is automatically created during LDAP server initialization if it does not exist. The LDAP server must have write access to the schema directory. This configuration option also determines the directory used by CDBM to store its data if the CDBM backend is configured and the databaseDirectory configuration option is not specified in the CDBM backend configuration section.

Default = /var/ldap/schema

Determines the behavior of modify operations with replace values of the schema entry. When schemaReplaceByValue off is specified, a modify operation with replace values for an attribute in the schema entry behaves like a typical modify operation: all the values currently in the attribute are replaced by the values specified in the modify operation. When schemaReplaceByValue on is specified, individual values in an attribute in the schema entry can be replaced without removing all the other values currently in the attribute. Except in several specific cases, the values of the attribute that are in the initial LDAP server schema cannot be changed or removed. See Updating the schema for more information about modifying the schema.

The schemaReplaceByValue configuration option can be overridden on a specific modify operation by including the schemaReplaceByValueControl control in the modify request.

Default = on

Specifies the encryption method to use when storing the secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute values in this backend. Applications might use the secretKey attribute type to store sensitive data that must be encrypted in the directory and to retrieve the data in clear text format. This encryption method is used to protect the replicaCredentials attribute values in this backend when basic replication is enabled. This encryption method also protects the ibm-replicaKeyPwd and ibm-slapdMasterPw attribute values in this backend when advanced replication is enabled.

none

Specifies no encryption. The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute value is stored in clear text format. The stored value is prefixed with the tag {none}. This is the default if the secretEncryption option is not specified. The attribute value without the tag is returned for a search request.

DES:keylabel

The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute value is encrypted by the DES algorithm before it is stored in the directory. The stored value is prefixed with the tag {DES:keylabel}. The original value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.

AES:keylabel

The secretKey, replicaCredentials, ibm-replicaKeyPwd, and ibm-slapdMasterPw attribute value is encrypted by the AES algorithm before it is stored in the directory. The stored value is prefixed with the tag {AES:keylabel}. The original value without the tag is returned for a search request. The key label must refer to either a valid data-encrypting key generated by the KGUP utility and stored in the ICSF CKDS or to an entry in the data set referenced by the LDAPKEYS DD statement. See Symmetric encryption keys for more information.

Default = none

Specifies the TCP/IP port used by the LDAP server for SSL communications. The value must be in the range of 1 to 65535.

Default = 636

If the serverSysplexGroup option is present in the configuration file, the secure port number specified for this server instance must be the same as the secure port number specified for all other members of the sysplex group for dynamic workload balancing to function properly.

The secure port number might be established in the configuration file, or it might be established using the -s command-line parameter when starting the LDAP server (see Setting up and running the LDAP server).

It is advisable to reserve the port number chosen here in your TCP/IP profile data set. Also, be aware that port numbers below 1024 might require additional specifications. See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for further information.

Specifies what type of communications is accepted by the LDAP server. The ssl setting indicates that the server listens on the secure port and the non-secure port. The sslonly setting means that the server listens only on the secure port. The none or nossl settings indicate that the server listens only on the non-secure port. The sslKeyRingFile option must also be specified when the ssl or sslonly settings are used.

Default = none

Determines if the security label processing is activated with bound LDAP clients. When on, the security labels associated with the LDAP client and LDAP server are verified during the authentication process. Security labels are recorded in all LDAP audit records. When off, no security label processing is done.

Default = off

Use this option when configuring the LDAP server in a multilevel security environment. For more information about configuring a z/OS system for multilevel security and how to configure an LDAP server in that environment, see z/OS Planning for Multilevel Security and the Common Criteria.

Specifies the output data format to use when sending UTF-8 information over the LDAP Version 2 protocol.

Default = UTF-8

See UTF-8 data over the LDAP Version 2 protocol for more detailed information about the use of this setting.

Specifies the server compatibility level. This value can be used to limit the functions supported by the server so that the server can be compatible with older versions of LDAP servers when they are sharing directory data in a sysplex group. To produce consistent results, all the LDAP servers in the same sysplex group name must support the same functions. If fallback is required to a lower server compatibility level than is currently being used, it is necessary to remove all exploitation of function that is available at the current compatibility level but not at the lower level. The server might not start at the lower level until this is complete. If fallback is necessary with a server that is using the TDBM or DB2-based GDBM backend, see Fallback from a TDBM or DB2-based GDBM backend in z/OS IBM TDS to an earlier z/OS IBM TDS version for fallback procedures.

Default = 7 if not running in a sysplex (the serverSysplexGroup configuration option is not specified).

Default = 4 if running in a sysplex (the serverSysplexGroup configuration option is specified)

Specifies the Media Access Control (MAC) address used for entry UUID generation. This value must be unique for all LDAP servers in your enterprise. You must specify the MAC address if multiple LDAP servers run on a (hardware) system. This applies if your LDAP servers are on different LPARs and also if two LDAP servers are on the same LPAR. You do not need to specify this field if this is the only LDAP server that runs on this (hardware) system.

The MAC address consists of 12 hexadecimal digits. The suggested form of the mac_address is:

4xmmmmssssss

Where:

x

Is a one-character LDAP directory number. If more than one LDAP server is operating on a processor, specify a different x value for each server. If more than 16 LDAP servers are wanted, then use a serial number and model number from a processor that is not running an LDAP server. If another processor is not available, then set the x, mmmm, and ssssss values from the MAC address on an old Ethernet card that is no longer being used or not used to run an LDAP server.

mmmm

Is the four-digit model number of the processor.

ssssss

Is the six-digit serial number of the processor.

It is not necessary to follow this convention if you specify the serverEtherAddr option for all LDAP servers in your enterprise. In this case, you can specify any combination of 12 hexadecimal digits if each LDAP server has a unique value.

Following is an example:

serverEtherAddr 4A123401234D

Default = The LDAP server uses the hardware model and serial numbers to generate a MAC address.

ldap_prefix/primary-dns-name@krbRealmName

serverKrbPrinc LDAP/myhost.realm.com@MYREALM.COM
serverKrbPrinc ldap/myhost.myrealm.com@MYREALM.COM

Default = ldap/primary-dns-hostname@default-krbRealmName

Specifies the name of the DB2 server location that manages the tables for the LDAP server. This value must match the name of one of the DATA SOURCE stanzas that must be specified in the ODBC initialization data set that is specified by the dsnaoini option in the configuration file. See the DB2 information in IBM Information Management Software for z/OS Solutions Information Center for a description of the DSNAOINI ODBC initialization data set contents. Using the example DSNAOINI file in Figure 1 the value of string for serverName is LOC1.

If the serverName configuration option is specified for a backend, the option must also be specified, with the same value, for all the TDBM and DB2-based GDBM backends in the configuration file.

Default = The default data source is used. This is the DB2 subsystem specified by the MVSDEFAULTSSID record in the DSNAOINI file.

Specifies that this LDAP server is participating in data sharing in a sysplex and indicates the name of the cross-system coupling facility (XCF) group. All LDAP servers in the sysplex that specify the same group name share the LDAP server schema and the directories of backends that specify the multiserver on option. The group name is 1-8 characters and consists of letters (A-Z), numbers (0-9), and special characters (@, #, and $). The special characters must be in the IBM-1047 code page.

Specifies the maximum number of entries to return from a search operation. The maximum number can be modified on a specific search request as described below.

Range = 0 - 2147483647

0 = no limit

Default = 500

This option applies to all backends, except EXOP, unless specifically overridden in a backend definition or in group search limits. Specifying this before a database line in the configuration file sets the option for all backends, except EXOP. Specifying it after a database line sets the option just for the backend defined by the database line. Specifying a size limit using group search limits sets the limit only for the members of that group. See Managing group search limits for more information about group search limits.

There are additional considerations for size limit when performing a subtree search from the root DSE (a NULL-based search). See Root DSE search with subtree scope (Null-based subtree search) for more information.

Specifies whether the LDAP server stops if a backend or plug-in fails to initialize after the configuration file is read. If terminate, the server ends when any backend or plug-in fails to initialize. If ignore, the LDAP server continues processing if the schema successfully initializes. The option also applies to failures when initializing the LDAP PC callable support interface if that has been configured and initializing WLM support. Note a configuration error that occurs before backend or plug-in initialization begins always causes the server to end.

Default = terminate

Specifies the SSL/TLS authentication method. The serverAuth method allows the LDAP client to validate the LDAP server on the initial contact between the client and the server.

The serverClientAuth method allows the LDAP client to validate the LDAP server. In addition, the LDAP server validates the LDAP client if the client sends its digital certificate on the initial contact between the client and the server.

See Setting up for SSL/TLS for more SSL/TLS information.

Default = serverAuth

Specifies the label of the certificate that is used for LDAP server authentication. If using a key database file, the certificate is created and managed using the gskkyman utility. If using a RACF key ring, the certificate is created and managed using the RACDCERT command. If using a PKCS #11 token, the certificate can be created and managed by using either the gskkyman utility or the RACDCERT command. See z/OS Cryptographic Services System SSL Programming for details on using the gskkyman utility or z/OS Security Server RACF Command Language Reference for details on using the RACDCERT command. See Setting up for SSL/TLS for more SSL/TLS information.

Default = none

If the value is none (by default or by specification), the default certificate, marked in the key database file, the RACF key ring, or the PKCS #11 token, is used for server authentication.

Specifies the SSL Version 3.0 and TLS Version 1.0 cipher specifications that the LDAP server accepts from clients. Use of this option to specify the specific cipher suites is limited, and provided only for compatibility with earlier versions. It supports only a portion of the cipher suites available in z/OS System SSL, contains no 4-character cipher suites, and provides no order of preference. The preferred approach is to set the option to GSK_V3_CIPHER_SPECS_EXPANDED and then set the environment variable GSK_V3_CIPHER_SPECS_EXPANDED to the list of 4-character cipher specifications you want, in order of preference.

If the cipher specifications you want are included in Table 1 and if the order of preference matches the default order that is provided by z/OS System SSL, then the sslCipherSpecs option may be used with any of the values that are described.

In this case, the cipher specification is a blank delimited string that represents an ORed bit-mask indicating the SSL/TLS cipher specifications that are accepted from clients. Clients that support any of the specified cipher specifications are able to establish an SSL/TLS connection with the server. Table 1 lists the CipherSpec mask values and the related decimal, hexadecimal, and keyword values. See z/OS Cryptographic Services System SSL Programming for a description of supported cipher specifications.

Depending upon the level of System SSL support installed, some ciphers might not be supported. System SSL ignores the unsupported ciphers. Consult the System SSL documentation to determine the specific ciphers that your installation supports.

See Setting up for SSL/TLS for more SSL/TLS information.

Default = ANY

Specifies the path and file name of the SSL/TLS key database file, the name of the RACF key ring, or the name of the PKCS #11 token to be used by the LDAP server. SSL/TLS connections are not available if this option is not specified.

When using a key database file, the file path and name specified here must match the path and name of the key database file that was created using the gskkyman utility (see z/OS Cryptographic Services System SSL Programming). Also, see Setting up for SSL/TLS for more SSL/TLS information.

The LDAP server supports the use of a RACF key ring. Specify the RACF key ring name for the sslKeyRingFile and comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options to use this support.

The LDAP server also supports the use of a PKCS #11 token. Specify the PKCS #11 token on the sslKeyRingFile configuration option in the following format (where NAME is the name of the PKCS #11 token): *TOKEN*/NAME. Ensure that the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options are commented out to use this support.

See Creating and using key databases, key rings, or PKCS #11 tokens for more information.

Specifies the password protecting access to the SSL/TLS key database file. The password string must match the password to the key database file that was created using the gskkyman utility (see z/OS Cryptographic Services System SSL Programming). Also, see Setting up for SSL/TLS for more SSL/TLS information.

Comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options if you are using a RACF key ring or PKCS #11 token.

Specifies a file system file name where the password for the servers key database file is stashed. Use the full path name of the stash file in the file system for name.

If this option is present, then the password from this stash file overrides the sslKeyRingFilePW configuration option, if present. Use the gskkyman utility with the -s option to create a key database password stash file. See Setting up for SSL/TLS for more SSL/TLS information.

Comment out the sslKeyRingFilePW and sslKeyRingPWStashFile configuration options if you are using a RACF key ring or PKCS #11 token.

Specifies the server maps a certificate used in a SASL EXTERNAL bind to the RACF user that is associated with the certificate.

When check, add, or replace is specified for the first value, RACF is searched for the user ID associated with the certificate used during a SASL certificate bind. The sslKeyRingFile configuration option must be specified to indicate which key database, RACF key ring, or PKCS #11 token to use to do this. If there is no RACF user ID associated with the certificate and fail is specified for the second value, then the SASL EXTERNAL bind fails. If there is no associated RACF user ID and ignore is specified for the second value, the bind continues without mapping the certificate to a RACF user.

If an associated RACF user ID is found and add or replace is specified for the first value, a distinguished name (DN) is created based on the user ID and the SDBM suffix. For add, this mapped DN is added to the list of DNs associated with the bind DN that was created from the subject's name in the certificate. For replace, this mapped DN replaces the bind DN that was created from the subject's name in the certificate. The mapped DN is used when gathering the groups in which the bound user exists and when checking authorization for LDAP operations, including SDBM operations. SDBM must be configured when add or replace is specified.

When off is specified for the first value, RACF is not searched for the user ID associated with the certificate and no certificate mapping is performed. In this case, it does not matter what the second value is (fail or ignore).

Default = off fail

Denotes the distinguished name of the root of a subtree in the namespace managed by this backend within the LDAP server. This option might be specified more than once to indicate all the roots of the subtrees within this backend except for the SDBM backend. The SDBM backend must have only one suffix. Note a suffix cannot be specified for the GDBM, CDBM, and EXOP backends. When the GDBM backend is configured, the cn=changelog suffix is reserved. When the CDBM backend is configured, the cn=configuration and cn=ibmpolicies suffixes are reserved.

suffix ou=Server Group, o=IBM
suffix o=IBM

See Specifying a value for a distinguished name for information about specifying special characters and restrictions on attributes in the suffix.

suffix "dc=ibm,dc=com"

Specifies if the LDAP server participates in Kerberos GSS API Authentication. If it participates, then Kerberos GSS API binds are accepted and information is stored in the servers root DSE.

Default = off

Specifies whether the LDAP server ends when network interfaces are not active. The LDAP server periodically polls the network interfaces it is using to determine when they go down and come back up. If an interface fails but the LDAP server still has at least one active interface, the server continues processing and reestablishes a failed interface when it detects that it has become active. If all interfaces fail and tcpTerminate terminate is specified, the LDAP server ends. If tcpTerminate recover is specified, then the LDAP server remains active and attempts to reestablish network interfaces when it detects they have become active. All client operations targeted to the LDAP server fail until a network interface can be reconnected. The frequency of polling can be set using the LDAP_NETWORK_POLL environment variable. See Environment variables used by the LDAP server for more information.

The tcpTerminate option is also used to determine whether the LDAP server ends if SSL or Kerberos initialization fails during server initialization. If terminate is specified, the LDAP server ends. If recover is specified, the LDAP server continues initialization, but the failed interface (SSL or Kerberos) cannot be used until the error is fixed and the LDAP server is restarted.

Default = recover

Specifies the maximum number of seconds (in real time) the LDAP server spends answering a search request. This maximum number can be modified on a specific search request as described below. If a request cannot be processed within this time, a result indicating an exceeded time limit is returned.

Range = 0 - 2147483647

0 = no limit

Default = 3600

This option applies to all backends, except EXOP, unless specifically overridden in a backend definition or in group search limits. Specifying this before a database line in the configuration file sets the option for all backends, except EXOP. Specifying it after a database line sets the option just for the backend defined by the database line. Specifying a time limit using group search limits sets the limit only for the members of that group. See Managing group search limits for more information about group search limits.

There are additional considerations for time limit when performing a subtree search from the root DSE (a NULL-based search). See Root DSE search with subtree scope (Null-based subtree search) for more information.

See Advanced replication for additional information about advanced replication.

The server compatibility level must be at least 5 when useAdvancedReplication on is specified. See the serverCompatLevel configuration option on page serverCompatLevel {3 | 4 | 5 | 6 | 7} for more information about the server compatibility level.

Default = off

Default = off

Specifies whether the incoming strings are validated. If set to on, this setting limits the format of incoming string data sent over the LDAP Version 2 protocol to the IA5 character set (X'00'-X'7F' or "7-bit ASCII"). With this setting, textual data received on operations outside of the IA5 character set causes the operations to fail with LDAP_PROTOCOL_ERROR.

Default = on

Note while supported, it is suggested not to run with this data filtering disabled.

Default = GENERAL

By default, the WLM transaction name, GENERAL, is used by the LDAP server for client requests originating from IP addresses or bind distinguished names not specified on wlmExcept configuration options. WLM transaction name GENERAL must be configured in WLM. See z/OS MVS Planning: Workload Management for more information about configuring WLM.