z/OS IBM Tivoli Directory Server Administration and Use for z/OS
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Requirements for a user ID that runs the LDAP server

z/OS IBM Tivoli Directory Server Administration and Use for z/OS
SC23-6788-00

Any user ID can be used to run the LDAP server. The examples in this topic use a user ID of LDAPSRV in the commands provided.

Note if the UID of the user ID running the LDAP server is not zero, all console messages that are produced by the LDAP server are accompanied by a BPXM023I message identifying the user writing to the console.

The user ID performing the RACF® commands in the following examples requires RACF SPECIAL authority.

You can use the RACF commands in the following example to define the user ID that runs the LDAP server (substitute appropriate values for UID and GID).

ADDGROUP LDAPGRP SUPGROUP(SYS1) OMVS(GID(2))
ADDUSER LDAPSRV DFLTGRP(LDAPGRP) OMVS(UID(1) PROGRAM('/bin/sh'))

The following RACF commands give the LDAP server access to the Workload Manager (WLM). This is required when starting the LDAP server even if WLM is not being used to classify or prioritize work within the LDAP server.

RDEFINE FACILITY BPX.WLMSERVER UACC(NONE)
PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

The following RACF commands are entered if the BPX.SERVER profile is defined.

PERMIT BPX.SERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
When file-based backend (LDBM, GDBM (file-based), CDBM) commits are done or the schema is modified, the LDAP server creates a new version of necessary files, and updates the permissions and ownership of the files to maintain the original permissions and ownership. If the LDAP server user ID has a nonzero UID value, more permissions might be needed to allow access to files it uses and for it to perform chmod and chown commands on the schema or backend files and directories. The examples below can be used, but should be evaluated and tailored to comply with your own security policies:
  • Grant control access to the SUPERUSER.FILESYS profile in the UNIXPRIV class. You might not want control access to the SUPERUSER.FILESYS profile because it grants the LDAP server user ID access to all files and directories in z/OS® UNIX System Services. See z/OS UNIX System Services Planning for more information. Issue these RACF commands to grant control access to SUPERUSER.FILESYS:
    RDEFINE UNIXPRIV SUPERUSER.FILESYS UACC(NONE)
PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(CONTROL)
SETROPTS CLASSACT(UNIXPRIV)
SETROPTS RACLIST(UNIXPRIV) REFRESH
  • Grant read access to the SUPERUSER.FILESYS.CHOWN and SUPERUSER.FILESYS.CHANGEPERMS profiles in the UNIXPRIV class by issuing these RACF commands:
    RDEFINE UNIXPRIV SUPERUSER.FILESYS.CHOWN UACC(NONE)
PERMIT SUPERUSER.FILESYS.CHOWN CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(READ) 
RDEFINE UNIXPRIV SUPERUSER.FILESYS.CHANGEPERMS UACC(NONE)
PERMIT SUPERUSER.FILESYS.CHANGEPERMS CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(READ)
SETROPTS CLASSACT(UNIXPRIV)
SETROPTS RACLIST(UNIXPRIV) REFRESH

If you are going to set up more than one LDAP server on the same system, a separate user ID is used for each one.

Parent topic: Setting up the user ID and security for the LDAP server

Additional setup when using SDBM

If you plan to use an SDBM backend, the following RACF commands must be entered to set up the user ID that runs the LDAP server: 
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

The SDBM backend also supports the RACF functions that search for users and groups with a given UID or GID value, control sharing user UID and group GID values, and retrieve a user password or password phrase envelope. Usage of these functions requires additional RACF configuration and profiles, as described in the RACF documentation.

Additional setup for RACF PROXY segment and SDBM

The SDBM backend supports the PROXY segment within the RACF user profile. If you intend to use SDBM to set the BINDPW value in the PROXY segment, RACF requires that you create KEYSMSTR class profile LDAP.BINDPW.KEY with the SSIGNON segment.

  • To create the LDAP.BINDPW.KEY profile in the KEYSMSTR class, use the KEYMASKED sub-operand if no cryptographic product is installed on your system: 
    RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYMASKED(key-value))

    Or, use the KEYENCRYPTED sub-operand if a cryptographic product is installed:

    RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(key-value))

    key-value is a Secured Sign-on Application key and must be specified as a string of 16 hexadecimal characters.

  • Then, activate the KEYSMSTR class: 
    SETROPTS CLASSACT(KEYSMSTR)

See z/OS Security Server RACF Command Language Reference for details on using these RACF commands and z/OS Security Server RACF Security Administrator's Guide for information about creating and using profiles.

Additional setup for sysplex

If you plan to run the LDAP server in a sysplex group, the user ID that runs the LDAP server must have READ access to the GLD.XCF.GROUP.group_name resource in the FACILITY class, where group_name is the value of the serverSysplexGroup option in the LDAP server configuration file. For example, if the serverSysplexGroup value is LDAP, then issue the following RACF commands:
RDEFINE FACILITY GLD.XCF.GROUP.LDAP UACC(NONE)
PERMIT GLD.XCF.GROUP.LDAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Defining the Kerberos identity

If you plan to enable Kerberos support you must associate a Kerberos identity with the server’s user ID and generate a Kerberos key. The following RACF command must be entered:

ALTUSER LDAPSRV PASSWORD(password) NOEXPIRED KERB(KERBNAME(ldap_prefix/hostname))
ALTUSER LDAPSRV NOPASSWORD

Note ldap_prefix must be either ldap or LDAP. Use ldap unless compatibility with earlier z/OS LDAP clients is needed. Also, the hostname must be the primary host name for the system in DNS.

If the LDAP server is located on the same machine as the Key Distribution Center (KDC), a key table is not necessary to start the LDAP server. However, the user ID that starts the server must have at least read access to IRR.RUSERMAP in the FACILITY class when the KRB5_SERVER_KEYTAB environment variable in the security server configuration file (krb5.conf) is set to 1. This can be done by issuing the following RACF commands:

RDEFINE FACILITY IRR.RUSERMAP UACC(NONE) 
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

If the LDAP server is not running on the same machine as the Kerberos KDC server, then a key table is required. The kadmin command can be used to create or update the key table in a directory that can be accessed by the LDAP server. The kadmin command must be used to get the KDC to generate the key table when the KDC does not reside on z/OS. However, the keytab command can be used to add the principal to the key table if the principal's password is known. The name of the key table is then specified in the krbKeytab option in the LDAP server configuration file.

See z/OS Integrated Security Services Network Authentication Service Administrationfor more information about configuring the KDC.

Additional setup for generating audit records

If you plan to generate LDAP SMF 83 audit records, the following RACF commands must be entered to set up the user ID that runs the LDAP server:
RDEFINE FACILITY IRR.RAUDITX UACC(NONE)
PERMIT IRR.RAUDITX CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Additional setup for using securityLabel option

If you plan on specifying securityLabel on in the global section of the LDAP server configuration file, the following RACF commands must be entered to set up the user ID that runs the LDAP server:
RDEFINE FACILITY BPX.POE UACC(NONE)
PERMIT BPX.POE CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

See z/OS UNIX System Services Planning for more information about setting up this profile. For other LDAP server considerations in a multilevel security environment, see z/OS Planning for Multilevel Security and the Common Criteria.

Additional setup when defining administrative roles in RACF

If the administrative group and roles are to be defined in RACF, the BPX.SERVER profile in the FACILITY class is required and the user ID for the LDAP server must have update access to that profile. The following RACF commands must be entered to set up the user ID that runs the LDAP server.
RDEFINE FACILITY BPX.SERVER UACC(NONE)
PERMIT BPX.SERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
The LDAP class must also be activated to define administrative roles in RACF. The following RACF command activates this class:
SETROPTS CLASSACT(LDAP)

Additional setup for using SHA-2 or Salted SHA-2 hashing

If you plan on using any SHA-2 or Salted SHA-2 hashing algorithms for userPassword and ibm-slapdAdminPw attribute values, the following RACF commands must be entered to set up the user ID that runs the LDAP server. The SHA-2 and Salted SHA-2 hashing algorithms consists of the following methods: SHA224, SSHA224 (Salted SHA224), SHA256, SSHA256 (Salted SHA256), SHA384, SSHA384 (Salted SHA384), SHA512, and SSHA512 (Salted SHA512).
RDEFINE CSFSERV CSFOWH UACC(NONE)
PERMIT CSFOWH CLASS(CSFSERV) ID(LDAPSRV) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014