Administrative group member examples

The following example adds the administrative group member under the cn=admingroup,cn=configuration entry and assigns password administrator and directory administrator roles to the member, cn=dpAdmin, that has a password value of secret. This example uses the ldapadd utility to add the cn=admindp,cn=AdminGroup,cn=configuration entry.

ldapadd -D "cn=admin" -w xxxx -f admingroup.ldif

where admingroup.ldif contains:

dn: cn=admindp,cn=AdminGroup,cn=configuration
changetype: add
objectclass: ibm-slapdAdminGroupMember
ibm-slapdAdminDN: cn=dpAdmin
ibm-slapdAdminPW: secret
ibm-slapdAdminrole: dirDataAdmin
ibm-slapdAdminrole: PasswordAdmin

The following example adds the administrative group member, racfid=pAdmin,profiletype=user,cn=myracf, to the cn=safadmingroup,cn=configuration entry and assigns the password administrator role to the member. The user ID, pAdmin, is an existing SAF user ID. Also, this illustrates an example when using native authentication and using RACF® to assign roles. See Example of setting up native authentication for more information. This example uses the ldapmodify utility to modify the cn=safadmingroup,cn=configuration entry.

ldapmodify -D "cn=admin" -w xxxx -f modSafAdminGroup.ldif

where modSafAdminGroup.ldif contains:

dn: cn=safadmingroup,cn=configuration            
changetype: modify                               
add: member                                      
member: racfid=pAdmin,profiletype=user,cn=myracf
member: cn=User1,ou=END,o=IBM,c=US

and the cn=User1,ou=END,o=IBM,c=US entry contains ibm-nativeId set to pAdmin.

If the ibm-slapdSAFSecurityDomain attribute in the cn=configuration entry is set to GLDSEC, the following profile in the LDAP class must be created in RACF for the password administrative role:

RDEFINE LDAP GLDSEC.ADMINROLE.PASSWD UACC(NONE)
AUDIT(SUCCESS(READ))

The audit level indicates that the authorized READ attempts are logged to the SMF data set. If the profile exists, use the ralter RACF command to change the audit settings:

RALTER LDAP GLDSEC.ADMINROLE.PASSWD AUDIT(SUCCESS(READ))

The pAdmin ID must be granted READ access to this profile to have the password administrator role:

PERMIT GLDSEC.ADMINROLE.PASSWD CLASS(LDAP) ID(pAdmin) ACCESS(READ)

The following example adds all members of a RACF group, pAdGrp, to the administrative group. The DN for that group is: racfid=pAdGrp,profiletype=group,cn=myracf. It must be added to the cn=safadmingroup,cn=configuration entry. The group ID, pAdGrp, is an existing RACF group ID. This example uses the ldapmodify utility to modify the cn=safadmingroup,cn=configuration entry.

ldapmodify -D "cn=admin" -w xxxx -f modSafAdminGroup2.ldif

where modSafAdminGroup2.ldif contains:

dn: cn=safadmingroup,cn=configuration
changetype: modify
add: member
member: racfid=pAdGrp,profiletype=group,cn=myracf

The pAdGrp ID must be granted READ access to this profile to have the password administrator role:

PERMIT GLDSEC.ADMINROLE.PASSWD CLASS(LDAP) ID(pAdGrp) ACCESS(READ)

Note: If the dsconfig utility was used to configure the z/OS® TDS server and the RACF job was run, the following commands were run:

SETROPTS GENERIC(LDAP)
RDEFINE LDAP GLDSEC.ADMINROLE.* UACC(NONE)
RDEFINE LDAP GLDSEC.ADMINROLE.NOADMIN UACC(NONE)
SETROPTS CLASSACT(LDAP)