Binding using a RACF user ID and password or password phrase

The SDBM backend allows for directory authentication (or bind) using the RACF® user ID and password or password phrase. The RACF user and group information that make up an identity can be used to establish access control on other LDAP directory entities. This expands use of the RACF identity to the rest of the LDAP-managed namespace. Note the following when using RACF access:

  • The RACF user ID must have READ access to the LDAP server profile that is defined in RACF. In the following example, LDAPNAME is the job name of the LDAP server and USERID is the RACF user ID used to bind to the LDAP server:
    PERMIT LDAPNAME CLASS(APPL) ID(USERID) ACC(READ) 
SETROPTS RACLIST(APPL) REFRESH
  • An LDAP simple bind to a z/OS LDAP server by using RACF access support but having a non-RACF security manager succeeds if the RACROUTE REQUEST=VERIFY,ENVIR=CREATE macro function call made by the LDAP server is successful. However, group membership information might not be available for the bound distinguished name if the security manager is not RACF.
  • An LDAP simple bind that is made to a z/OS LDAP server by using RACF access support provides a successful or unsuccessful LDAP return code. In addition, if the LDAP return code is LDAP_INVALID_CREDENTIALS, additional information is provided in the message portion of the LDAP result. The additional information is an LDAP-unique reason code and reason code text in the following format: 
    Rnnnnnn text

    The following LDAP reason codes are mapped to return codes returned by the RACROUTE REQUEST=VERIFY,ENVIR=CREATE macro:

    Table 1. LDAP return and reason codes returned to the client when binding to SDBM
    LDAP return code Reason code Text
    LDAP_INVALID_CREDENTIALS R000104 The password is not correct or the user ID is not completely defined (missing password or UID).
    LDAP_INVALID_CREDENTIALS R000105 A bind argument is not valid.
    LDAP_INVALID_CREDENTIALS R000100 The password expired.
    LDAP_INVALID_CREDENTIALS R000101 The new password is not valid.
    LDAP_INVALID_CREDENTIALS R000102 The user ID has been revoked.
    LDAP_OPERATIONS_ERROR R000208 Unexpected racroute error safRC=safRC racfRC=racfRC racfReason=racfReason
    Note:
    1. The same reason codes are issued when binding using a password or a password phrase.
    2. The use of RACF passtickets is supported by the z/OS® LDAP server when binding through SDBM. The job name that is associated with the LDAP Server started task should be used as the application name when generating RACF passtickets. See z/OS Security Server RACF Macros and Interfaces for more information about RACF passtickets.