Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Requirements for a user ID that runs the LDAP server z/OS IBM Tivoli Directory Server Administration and Use for z/OS SC23-6788-00 |
|
Any user ID can be used to run the LDAP server. The examples in this topic use a user ID of LDAPSRV in the commands provided. Note if the UID of the user ID running the LDAP server is not zero, all console messages that are produced by the LDAP server are accompanied by a BPXM023I message identifying the user writing to the console. The user ID performing the RACF® commands in the following examples requires RACF SPECIAL authority. You can use the RACF commands in the following example to define the user ID that runs the LDAP server (substitute appropriate values for UID and GID).
The following RACF commands give the LDAP server access to the Workload Manager (WLM). This is required when starting the LDAP server even if WLM is not being used to classify or prioritize work within the LDAP server.
The following RACF commands are entered if the BPX.SERVER profile is defined.
When file-based backend (LDBM, GDBM (file-based),
CDBM) commits are done or the schema is modified, the LDAP server
creates a new version of necessary files, and updates the permissions
and ownership of the files to maintain the original permissions and
ownership. If the LDAP server user ID has a nonzero UID value, more
permissions might be needed to allow access to files it uses and for
it to perform chmod and chown commands on the schema
or backend files and directories. The examples below can be used,
but should be evaluated and tailored to comply with your own security
policies:
If you are going to set up more than one LDAP server on the same system, a separate user ID is used for each one. Additional setup when using SDBMIf
you plan to use an SDBM backend, the following RACF commands must be entered to set up the
user ID that runs the LDAP server:
The SDBM backend also supports the RACF functions that search for users and groups with a given UID or GID value, control sharing user UID and group GID values, and retrieve a user password or password phrase envelope. Usage of these functions requires additional RACF configuration and profiles, as described in the RACF documentation. Additional setup for RACF PROXY segment and SDBMThe SDBM backend supports the PROXY segment within the RACF user profile. If you intend to use SDBM to set the BINDPW value in the PROXY segment, RACF requires that you create KEYSMSTR class profile LDAP.BINDPW.KEY with the SSIGNON segment.
See z/OS Security Server RACF Command Language Reference for details on using these RACF commands and z/OS Security Server RACF Security Administrator's Guide for information about creating and using profiles. Additional setup for sysplexIf you plan to run the LDAP server in a sysplex group, the user
ID that runs the LDAP server must have READ access to the GLD.XCF.GROUP.group_name resource
in the FACILITY class, where group_name is the value of the serverSysplexGroup option
in the LDAP server configuration file. For example, if the serverSysplexGroup value
is LDAP, then issue the following RACF commands:
Defining the Kerberos identityIf you plan to enable Kerberos support you must associate a Kerberos identity with the server’s user ID and generate a Kerberos key. The following RACF command must be entered:
Note ldap_prefix must be either ldap or LDAP. Use ldap unless compatibility with earlier z/OS LDAP clients is needed. Also, the hostname must be the primary host name for the system in DNS. If the LDAP server is located on the same machine as the Key Distribution Center (KDC), a key table is not necessary to start the LDAP server. However, the user ID that starts the server must have at least read access to IRR.RUSERMAP in the FACILITY class when the KRB5_SERVER_KEYTAB environment variable in the security server configuration file (krb5.conf) is set to 1. This can be done by issuing the following RACF commands:
If the LDAP server is not running on the same machine as the Kerberos KDC server, then a key table is required. The kadmin command can be used to create or update the key table in a directory that can be accessed by the LDAP server. The kadmin command must be used to get the KDC to generate the key table when the KDC does not reside on z/OS. However, the keytab command can be used to add the principal to the key table if the principal's password is known. The name of the key table is then specified in the krbKeytab option in the LDAP server configuration file. See z/OS Integrated Security Services Network Authentication Service Administrationfor more information about configuring the KDC. Additional setup for generating audit recordsIf you plan to generate LDAP SMF 83 audit records, the following RACF commands must be entered to
set up the user ID that runs the LDAP server:
Additional setup for using securityLabel optionIf you plan on specifying securityLabel on in the global
section of the LDAP server configuration file, the following RACF commands must be entered to
set up the user ID that runs the LDAP server:
See z/OS UNIX System Services Planning for more information about setting up this profile. For other LDAP server considerations in a multilevel security environment, see z/OS Planning for Multilevel Security and the Common Criteria. Additional setup when defining administrative roles in RACFIf the administrative group and roles are to be defined in RACF, the BPX.SERVER profile in
the FACILITY class is required and the user ID for the LDAP server
must have update access to that profile. The following RACF commands must be entered to set up the
user ID that runs the LDAP server.
The LDAP class must also be activated to define administrative
roles in RACF. The following RACF command activates this class:
Additional setup for using SHA-2 or Salted SHA-2 hashingIf you plan on using any SHA-2 or Salted SHA-2 hashing algorithms
for userPassword and ibm-slapdAdminPw attribute values,
the following RACF commands
must be entered to set up the user ID that runs the LDAP server.
The SHA-2 and Salted SHA-2 hashing algorithms consists of the following
methods: SHA224, SSHA224 (Salted SHA224), SHA256, SSHA256 (Salted
SHA256), SHA384, SSHA384 (Salted SHA384), SHA512, and SSHA512 (Salted
SHA512).
|
Copyright IBM Corporation 1990, 2014
|