CDBM backend configuration and policy entries

When the CDBM backend is configured in the LDAP server configuration file, configuration related entries are stored in the cn=configuration suffix while policy entries are stored in the cn=ibmpolicies suffix. These entries contain attributes that represent configuration options. The attribute values can be changed dynamically by an LDAP modify command while the LDAP server is running. All changes take effect immediately, without needing to restart the server. By default, the CDBM backend only allows an LDAP root administrator to modify the configuration and policy entries, but access can be changed by modifying the ACL on these entries. Some administrative roles allow modifying configuration and policy entries in the CDBM backend without modifying ACLs. See Administrative group and roles for more information about administrative roles authority.

When the LDAP server starts, the configuration and policy entries that do not exist are created with each attribute assigned to its default value. If an attribute value is deleted, the default value is used. The deleting and renaming of advanced replication configuration entries is only supported when useAdvancedReplication off is specified in the CDBM backend. The deleting of the cn=pwdpolicy,cn=ibmpolicies entry is only supported when the server compatibility is set to less than 6.

This section contains information about the entries that exist under the cn=configuration and cn=ibmpolicies suffixes and the attribute values in these entries that affect the configuration of the LDAP server.

cn=configuration

This is a container entry that is used to define dynamic configuration attributes. Table 1 describes the entry attribute descriptions.

Table 1. **cn=configuration** entry attribute descriptions
Attribute description and default
cn Specifies the common name of the configuration entry. This attribute is never interpreted by the server. Default: Configuration
ibm-slapdSAFSecurityDomain Specifies the high-level component of the resource profile names that are used to define LDAP-related information in the z/OS® security manager. This high-level qualifier is used to define administrative roles in the z/OS security manager. It is also used for securing LDAP server console operator commands. The value cannot contain a blank, comma, parenthesis, semicolon, asterisk, percent sign, or ampersand. Since resource profile names are limited to 246 bytes in length, this value must be short enough so that the generated profile names for the functions you use adhere to the limit. The maximum length of this value is as follows: 228 bytes if you use administrative roles. The LDAP server will not allow a length longer than 228. 227 bytes if you are securing LDAP server operator commands. You should limit the length of this attribute to 100 bytes to allow for future LDAP server enhancements which could generate longer profile names and reduce the acceptable length of this attribute. See Administrative group and roles for more information about configuring administrative roles in the z/OS security manager. See Additional setup for LDAP console commands for more information about securing the LDAP server console operator commands. Default: GLDSEC
ibm-slapdAdminGroupEnabled A boolean (true or false) used to specify if the administrative group is currently enabled. If set to true and the server compatibility level is 7 or greater, the administrative group is enabled and the LDAP root administrator can delegate server administration authority. If set to false, the administrative group cannot be enabled in the LDAP server. Default: false Note: This is a user-modifiable operational attribute and is only returned on a search request when specifically listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.
ibm-slapdPagedResAllowNonAdmin A boolean (true or false) used to indicate whether the server allows non-administrators to request paged search results. If set to true, the server accepts any paged search request, including those submitted by a user binding anonymously. If set to false, the server only accepts paged search requests submitted by a user with administrator authority. In this case, the criticality of the pagedResults server control determines how the server handles a paged search request from non-administrator users. If the control is specified as critical, the request is rejected with an LDAP_INSUFFICIENT_ACCESS return code. If the control is specified as non-critical, the search is performed, but all results are returned without paging. The ibm-slapdPagedResLmt attribute must be set to a value greater than zero to enable paged search results. Default: false Note: This is a user-modifiable operational attribute and is only returned on a search request when specifically listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.
ibm-slapdPagedResLmt Specifies the maximum number of outstanding paged search requests allowed simultaneously on a single connection. If the maximum number of outstanding paged search requests is exceeded, the criticality of the pagedResults server control determines how the server handles the paged search request. If the control is specified as critical, the request is rejected with an LDAP_ADMIN_LIMIT_EXCEEDED return code. If the control is specified as non-critical, the search is performed but all results are returned without paging. The value must be between 0 and the maximum integer size. A value of 0 indicates that paged search results are not supported. Default: 0 Note: This is a user-modifiable operational attribute and is only returned on a search request when specifically listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.
ibm-slapdServerID Specifies a short descriptive name of this server in an advanced replication environment. This server name is used when configuring the relationships among LDAP servers in an advanced replication environment and therefore a unique ibm-slapdServerID value is chosen for each server in the replication topology. This value is displayed as the ibm-serverID attribute value in the root DSE entry. The ibm-slapdServerID value is used in the replica subentry attribute ibm-replicaServerID, therefore, this value cannot be modified once replica subentries are created in the directory. This value cannot be deleted if advanced replication is configured. Default: A randomly generated attribute value like an ibm-entryUUID attribute value that is created when the CDBM backend is first initialized.
ibm-slapdSortKeyLimit Specifies the maximum number of sort keys that can be included on a single sorted search request. If the maximum number of sort keys is exceeded, the criticality of the SortKeyRequest server control determines how the server handles the sorted search request. If the control is specified as critical, the request is rejected with an LDAP_UNAVAILABLE_CRITICAL_EXTENSION return code. If the control is specified as non-critical, the search is performed, but unsorted results are returned and an LDAP_ADMIN_LIMIT_EXCEEDED sort result code is returned in the SortKeyResponse server control. The value must be between 0 and the maximum integer size. A value of 0 indicates that sorted search results are not supported. Default: 0 Note: This is a user-modifiable operational attribute and is only returned on a search request when specifically listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.
ibm-slapdSortSrchAllowNonAdmin A boolean (true or false) used to indicate whether the server allows non-administrators to request sorted search results. If set to true, the server accepts any sorted search request, including those submitted by a user binding anonymously. If set to false, the server only processes sorted search requests submitted by a user with administrator authority. In this case, the criticality of the SortKeyRequest server control determines how the server handles a sorted search request from non-administrator users. If the control is specified as critical, the request is rejected with an LDAP_UNAVAILABLE_CRITICAL_EXTENSION return code. If the control is specified as non-critical, the search is performed but unsorted results are returned and an LDAP_INSUFFICIENT_ACCESS sort result code is returned in the SortKeyResponse server control. The ibm-slapdSortKeyLimit attribute must be set to a value greater than zero to enable sorted search results. Default: false Note: This is a user-modifiable operational attribute and is only returned on a search request when specifically listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.

cn=Replication,cn=configuration

This entry is used to configure many aspects of advanced replication such as the maximum number of pending or failed replication changes displayed for a replication agreement. See Advanced replication for more information.

Table 2. **cn=Replication,cn=configuration** entry attribute descriptions
Attribute description and default
cn Specifies the common name of the configuration entry. This attribute does not affect advanced replication configuration. Default: Replication
ibm-replicationOnHold A boolean (true or false) used to indicate whether replication is suspended from all replication agreements in the server. If set to true, replication from all replication agreements is suspended and updates are queued. If set to false, replication updates are handled normally by each replication agreement. Default: false
ibm-slapdMaxPendingChangesDisplayed Specifies the maximum number of pending replication changes and the maximum number of failed replication changes that are displayed when searching a replication agreement on a supplier server. Increase this value if more pending and failed changes must be displayed for each replication agreement. The pending replication changes are stored in the replication agreement entry in the ibm-replicationPendingChanges multi-valued operational attribute. The failed replication changes are stored in the ibm-replicationFailedChanges multi-valued operational attribute. See Table 2 for more information about these operational attributes. The value must be between 0 and the maximum integer size. A value of 0 indicates that no pending changes are displayed for each replication agreement. Default: 200
ibm-slapdReplConflictMaxEntrySize Specifies the maximum length (in bytes) for all attribute values in an entry for replication conflict resolution to occur. If a replication conflict occurs on the consumer server and the total attribute value length for all values in an entry is less than or equal to this number, the entry is resent to the consumer server to automatically correct the replication conflict. Otherwise, the entry is not resent to the consumer server. This value applies to each replication agreement in the server. Increase this value when large entries are modified so that out of sync conditions between a supplier and consumer server can be resolved automatically with conflict resolution. If automatic replication conflict resolution support is not wanted, set this value to a small number. The value must be between 0 and the maximum integer size. A value of 0 indicates that all entries are resent to the consumer server regardless of the size of the entry. Default: 0
ibm-slapdReplContextCacheSize Specifies the maximum size of each advanced replication context cache, in bytes. An advanced replication context cache is used to store pending replication updates for each replication context in the server. This cache reduces the number of queries to the backends to find the same information. Increase the size of the cache when replicating more and larger entries, such as large group entries. This value must be between 0 and the maximum integer size. A value of 0 indicates that there are no replication context caches in the server. Default: 100000
ibm-slapdReplMaxErrors Specifies the maximum number of advanced replication failures that are logged for each backend in the server. If there are multiple replication agreement entries in a backend, each agreement shares the maximum number of replication failures allowed for the backend. The failed replication changes are stored in the replication agreement entry in the ibm-replicationFailedChanges multi-valued operational attribute. When the number of replication failures exceeds this value, advanced replication for this agreement stalls. See Monitoring and diagnosing advanced replication problems for more information about recovering from out of sync and stall conditions. This value must be between -1 and the maximum integer size. A value of 0 indicates that advanced replication failures are not logged for any replication agreements, therefore, replication stalls at the first failed replication update. A value of -1 indicates that an unlimited number of advanced replication failures are logged for all replication agreements. Default: 0
ibm-slapdReplRestrictedAccess A boolean (true or false) used to control access to replication topology entries (replication contexts, groups, subentries, and agreements). This attribute provides a way to limit access to the replication topology entries in the LDAP server. If set to true, only LDAP root, directory data, or replication administrators, and the master server DN have access to replication topology entries. If set to false, non-administrator users must have the proper authority to access the replication topology entries. Default: false Note: This is a user-modifiable operational attribute and is only returned on a search request when listed in the list of return attribute types or a '+' is specified in the list of returned attribute types.
ibm-slapdReplicateSecurityAttributes Enables replication of security attributes between the read-only replica and master so that password policy for account lockout can be enforced in replication topologies. Note: This capability is only supported for bind operations that use simple authentication, and authentication that is done with compare operations that involve the userPassword attribute. Default: false

cn=Log Management,cn=Configuration

This is a container entry that does not contain any attribute values that affect the configuration of the LDAP server.

cn=Replication,cn=Log Management,cn=Configuration

This entry is used by advanced replication to specify the location of the lost and found log file. See Advanced replication for more information.

Table 3. **cn=Replication,cn=Log Management,cn=Configuration** entry attribute descriptions
Attribute description and default
cn Specifies the common name of the configuration entry. This attribute does not affect advanced replication configuration. Default: Replication
ibm-slapdLog Specifies the z/OS UNIX System Services file name and directory location for the lost and found log file. The lost and found log file is created by the consumer server the first time a replication conflict occurs. Any entries that are deleted because of a replication conflict are stored in LDIF format in this file. The directory path that is specified in this attribute value must exist before the file is created, otherwise replication conflicts are not written to the lost and found log file. This value cannot be deleted when advanced replication is configured. If this value is modified, the original value is still used until the LDAP server is restarted. Default: /var/ldap/logs/lostandfound.log

cn=admingroup,cn=configuration

This is a container entry that does not contain any attribute values that affect the configuration of the LDAP server.

cn=safadmingroup,cn=configuration

This entry is used to define administrative group members whose roles are defined in RACF®. Group members are added to the entry by adding the optional member attribute to the entry and roles are defined in RACF. See Administrative group and roles for more information.

Table 4. **cn=safadmingroup,cn=configuration** entry attribute descriptions
Attribute description and default
cn A required attribute that specifies the common name of the SAF administrative group entry. This attribute does not affect administrative role processing. Default: safadmingroup
member An optional attribute that specifies a distinguished name (DN) leading to a SAF user ID. Examples of these DNs are: SDBM entries, DNs from an SSL client certificate, DN of a TDBM or LDBM entry participating in native authentication, and a Kerberos mapped DN. This DN is checked against each administrative role defined in the LDAP general resource class in RACF to see if the user has READ authority to the profile. If the user has READ access to the profile, the user is granted that administrative role. Default: none

cn=ibmpolicies

This is a container entry that does not contain any attribute values that affect the configuration of the LDAP server.

cn=pwdpolicy,cn=ibmpolicies

This entry is used to configure the global password policy. When the global password policy is activated, this policy applies to all entries that have passwords stored in the LDBM, TDBM, and CDBM backends unless there is an overriding individual or group password policy in effect. See Table 1 for the attribute descriptions of the cn=pwdpolicy,cn=ibmpolicies entry and the default values in this entry.