SDBM search capabilities

SDBM supports a limited set of search filters. The following table describes each supported filter. It also indicates from what bases it is valid, what type of entries it returns (a complete entry or entries that contain the DN of the entry), and what RACF® commands are issued to perform the search. Most searches can only be performed from one of these top entries: the suffix entry, the profiletype=user,suffix entry, the profiletype=group,suffix entry, the profiletype=connect,suffix entry, and the profiletype=class,suffix entries.

Table 1. SDBM search filters
Filter Search behavior
krbprincipalname=any_value
Description
Find user profile for the RACF user whose KERB KERBNAME value is any_value.
Allowed base
suffix
profiletype=user,suffix
Returns
Complete entry.
Commands
–  R_usermap
–  followed by R_admin user profile extract  
objectclass=*
Description
Match any user, group, connection, resource profile, and setropts.
Allowed base
Any SDBM entry
Returns
  • DN-only entries if scope includes all users, groups, connections, resource profiles, or setropts.
  • Complete entry if scope includes a single entry.
Commands
  • If scope includes all users:
    search class(user) filter(*)
  • If scope includes all groups:
    search class(group) filter(*)
  • If scope includes all connections:
    • search class(group) filter(*)
    • Followed by R_admin group profile extract for each group.
  • If scope includes all classes:
    • RACROUTE STAT to retrieve all class names
    • Followed by search class(className) filter(**) for each class
  • If scope includes a specific class:
    • RACROUTE STAT to determine if the class exists
    • Followed by search class(className) filter(**) for the class
  • If scope includes a single user:
    R_admin user profile extract
  • If scope includes a single group:
    R_admin group profile extract
  • If scope includes a single connection:
    R_admin connect profile extract
  • If scope includes a single resource:
    R_admin resource profile extract  
  • If scope includes just the cn=setropts entry:
    R_admin setropts extract
profilename=any_value
Description
Find the RACF general resource profiles whose names match any_value (can contain wildcards)

RACF profile names might be case-sensitive, depending on the class.

Allowed base
suffix
profiletype=className,suffix
Returns
DN-only entries
Commands
  • If scope includes all classes:
    • RACROUTE STAT to retrieve all class names
    • Followed by search class(className) filter(any_value) for each class
  • If scope includes a single class:
    • RACROUTE STAT to determine if the class exists
    • Followed by search class(className) filter(any_value) for the class
racfgroupid=any_value
Description
Find connection profiles for members of the RACF groups whose names match any_value (can contain wildcards)
Allowed base
suffix
profiletype=connect,suffix
Returns
DN-only entries
Commands
  • If no wildcard in any_value:
    R_admin group profile extract
  • If wildcard in any_value:
    • search class(group) filter(any_value)
    • Followed by R_admin group profile extract for each group
racfid=any_value
Description
Find user and group profiles for the RACF users and groups whose names match any_value (can contain wildcards)
Allowed base
suffix
profiletype=user,suffix
profiletype=group,suffix
Returns
DN-only entries
Commands
  • If scope includes all users:

    search class(user) filter(any_value)

  • If scope includes all groups:

    search class(group) filter(any_valueany_value)
racflnotesshortname=any_value
Description
Find user profile for the RACF user whose LNOTES SNAME value is any_value
Allowed base
suffix
profiletype=user,suffix
Returns
Complete entry.
Commands
–  R_usermap
–  followed by R_admin user profile extract  
racfndsusername=any_value
Description
Find user profile for the RACF user whose NDS UNAME value is any_value
Allowed base
suffix
profiletype=user,suffix
Returns
Complete entry.
Commands
–  R_usermap
–  followed by R_admin user profile extract  
racfomvsgroupid=number
Description
Find group profile for one of the RACF groups whose OMVS GID values match number
Allowed base
suffix
profiletype=group,suffix
Returns
Complete entry.
Commands
–  getgrgid(number)
–  followed by R_admin group profile extract  
racfomvsgroupid;allOMVSids=
number
Description
Find group profiles for all the RACF groups whose OMVS GID values match number
Allowed base
suffix
profiletype=group,suffix
Returns
DN-only entries
Commands
search class(group) gid(number)
racfomvsuid=number
Description
Find user profile for one of the RACF users whose OMVS UID values match number.
Allowed base
suffix
profiletype=user,suffix
Returns
Complete entry.
Commands
–  getpwuid(number).
–  followed by R_admin user profile extract.  
racfomvsuid;
allOMVSids=number
Description
Find user profiles for all the RACF users whose OMVS UID values match number.
Allowed base
suffix
profiletype=user,suffix
Returns
DN-only entries.
Commands
search class(user) uid(suffix).
racfuserid=any_value
Description
Find connection profiles for RACF users whose names match any_value (can contain wildcards).
Allowed base
suffix
profiletype=connect,suffix
Returns
DN-only entries
Commands
  • If no wildcard in any_value:
    R_admin user profile extract
  • If wildcard in any_value
    • search class(user) filter(any_value)
    • Followed by R_admin user profile extract for each user
(&(racfuserid=any_value1)
(racfgroupid=any_value2))
Description
Find connection profiles for RACF users whose names match any_value1 and who belong to RACF groups whose names match any_value2 (both can contain wildcards)
Allowed base
suffix
profiletype=connect,suffix
Returns
DN-only entries
Commands
  • If no wildcard in any_value:
    R_admin user profile extract
  • If no wildcard in any_value
    R_admin group profile extract
  • If wildcard in both any_value and any_value2
    • search class(group) filter(any_value)
    • Followed by R_admin group profile extract for each group

Except for the AND filter for connections, complex search filters that include NOT, AND, OR, LE, or GE constructs are not supported.

The values for the profilename, racfgroupid, racfid, and racfuserid filters can include the wildcards supported by RACF. These wildcards are '*' which represents any number of characters, and '%' which represents one character. For example: 
(&(racfuserid=usr*)(racfgroupid=*grp))
searches for all the connections between users whose names begin with usr and groups whose names end with grp.
To include multiple levels of qualifiers in a resource profile name search, include either \** or *\* in the profilename filter. For example, profilename=XYZ.\** searches for all resource profiles that have XYZ as the first qualifier. Do not use ** in the filter because this is not a valid LDAP filter. The result of a search with the filter profilename=** is: 
ldap_search: Protocol error
ldap_search: additional info: R010043 Substring filter for attribute 'profilename' has no value

Although an * or ** can be part of a resource profile name, there is no way to indicate in the profilename filter that an asterisk or double asterisk is part of the name rather than a wildcard. For example, a search using a filter such as profilename=ABC* returns all profile names beginning with ABC, including the ABC* profile (if it exists).

Note: The values must comply with the RACF naming convention. For more information, see z/OS Security Server RACF Security Administrator's Guide.

Searching universal groups

Most of the members of a RACF universal group are not contained in the list of members of the group. As a result, a search of the entry for a universal group does not return most of the members of the group. In addition, a search for the connection entry corresponding to a member of a universal group can return different results depending on the connection search filter that is used:
  • If the racfuserid part of the connection search filter does not contain a wildcard, then the connection entry is returned for the specified racfuserid.
  • If the racfuserid part of the connection search filter contains a wildcard, then the connection entry for a user is returned only if the user is explicitly contained in the list of members of the universal group.

Searching the entire RACF database

Most searches that query the entire RACF database, for example, a subtree search from any of the top directory entries except the setopts entry, return only the DN (distinguished name) attribute. You may then obtain more specific data about a particular user, group, connection, or resource on a follow-up search using a specific DN as the search base.

The exceptions to this are searches using the application ID filters: 
krbprincipalname=<any_name>
racflnotesshortname=<any_value>
racfndsusername=<any_value>
racfomvsgroupid=<number>
racfomvsuid=<number>
Because these searches can match only a single RACF user, the entire user entry is returned in the search results.

RACF restriction on amount of output

When processing certain LDAP search requests, SDBM uses the RACF R_admin "run command" interface to issue RACF search commands. The R_admin "run command" interface limits the number of records in its output to 4096. This means that the RACF search command output might be incomplete if you have many users, groups, connections, or resources. See z/OS Security Server RACF Callable Services on the RACF restriction. The restriction only affects those SDBM searches that issue the RACF search command. See Table 1 to determine which SDBM searches are affected.

RACF restriction on amount of input

RACF limits the number of operands that are specified in RACF commands. If the number of operands surpasses this limit, RACF ignores some of the operands and processes the command. Therefore, an SDBM add or modify operation containing many attributes appears to run successfully but some of the attributes might not be set. For more information, see z/OS Security Server RACF Command Language Reference.

LDAP restriction on RACF data

Except for the RACF user password or password phrase envelopes, all field values sent by RACF to LDAP must consist of printable characters. If a RACF field contains unprintable characters, the value returned in the LDAP output does not match the RACF value and is not printable. If a RACF field contains binary zeros, the LDAP output might be truncated. In particular, make sure that the installation DATA field in RACF user and resource profiles does not contain binary zeros or other unprintable characters.