Administrative group member examples
The following example adds the administrative group member under
the cn=admingroup,cn=configuration entry and assigns password
administrator and directory administrator roles to the member,
cn=dpAdmin
, that has a password value of secret
. This example uses the ldapadd utility to add the cn=admindp,cn=AdminGroup,cn=configuration entry.ldapadd -D "cn=admin" -w xxxx -f admingroup.ldif
where admingroup.ldif
contains:dn: cn=admindp,cn=AdminGroup,cn=configuration
changetype: add
objectclass: ibm-slapdAdminGroupMember
ibm-slapdAdminDN: cn=dpAdmin
ibm-slapdAdminPW: secret
ibm-slapdAdminrole: dirDataAdmin
ibm-slapdAdminrole: PasswordAdmin
The following example adds the administrative group member,
racfid=pAdmin,profiletype=user,cn=myracf
, to the cn=safadmingroup,cn=configuration entry and assigns the password administrator role to the member.
The user ID, pAdmin
, is an existing SAF user ID. Also, this illustrates an example when using native authentication
and using RACF® to assign roles.
See Example of setting up native authentication for more information. This example uses the ldapmodify utility to modify the cn=safadmingroup,cn=configuration entry.ldapmodify -D "cn=admin" -w xxxx -f modSafAdminGroup.ldif
where modSafAdminGroup.ldif
contains:dn: cn=safadmingroup,cn=configuration
changetype: modify
add: member
member: racfid=pAdmin,profiletype=user,cn=myracf
member: cn=User1,ou=END,o=IBM,c=US
and the cn=User1,ou=END,o=IBM,c=US
entry contains ibm-nativeId
set to pAdmin
.If the ibm-slapdSAFSecurityDomain attribute in the cn=configuration entry is set to
GLDSEC, the following profile in the LDAP class must be created in RACF for the password administrative role:
RDEFINE LDAP GLDSEC.ADMINROLE.PASSWD UACC(NONE)
AUDIT(SUCCESS(READ))
The audit level indicates that the authorized READ attempts are logged to the
SMF data set. If the profile exists, use the ralter RACF command to change the audit
settings:
RALTER LDAP GLDSEC.ADMINROLE.PASSWD AUDIT(SUCCESS(READ))
The
pAdmin
ID must be granted READ access to this
profile to have the password administrator role: PERMIT GLDSEC.ADMINROLE.PASSWD CLASS(LDAP) ID(pAdmin) ACCESS(READ)
The following example adds all members of a RACF group, pAdGrp, to the administrative
group. The DN for that group is:
racfid=pAdGrp,profiletype=group,cn=myracf
. It must be added to the cn=safadmingroup,cn=configuration entry. The group ID, pAdGrp
, is an existing RACF group ID. This example uses
the ldapmodify utility to modify the cn=safadmingroup,cn=configuration entry.ldapmodify -D "cn=admin" -w xxxx -f modSafAdminGroup2.ldif
where modSafAdminGroup2.ldif
contains:dn: cn=safadmingroup,cn=configuration
changetype: modify
add: member
member: racfid=pAdGrp,profiletype=group,cn=myracf
The
pAdGrp
ID must be granted READ access to this
profile to have the password administrator role:PERMIT GLDSEC.ADMINROLE.PASSWD CLASS(LDAP) ID(pAdGrp) ACCESS(READ)
Note: If the dsconfig utility was used to configure the z/OS® TDS server and the RACF job was run, the following
commands were
run:
SETROPTS GENERIC(LDAP)
RDEFINE LDAP GLDSEC.ADMINROLE.* UACC(NONE)
RDEFINE LDAP GLDSEC.ADMINROLE.NOADMIN UACC(NONE)
SETROPTS CLASSACT(LDAP)