SDBM search capabilities
SDBM supports a limited set of search filters. The following table describes each supported
filter. It also indicates from what bases it is valid, what type of entries it returns (a complete
entry or entries that contain the DN of the entry), and what RACF® commands are issued to perform the search. Most searches can only be performed from one
of these top entries: the suffix
entry, the
profiletype=user,suffix
entry, the
profiletype=group,suffix
entry, the
profiletype=connect,suffix
entry, and the
profiletype=class,
suffix entries.
Filter | Search behavior |
---|---|
krbprincipalname=any_value |
|
objectclass=* |
|
profilename=any_value |
|
racfgroupid=any_value |
|
racfid=any_value |
|
racflnotesshortname=any_value |
|
racfndsusername=any_value |
|
racfomvsgroupid=number |
|
racfomvsgroupid;allOMVSids=
number |
|
racfomvsuid=number |
|
racfomvsuid;
allOMVSids=number |
|
racfuserid=any_value |
|
(&(racfuserid=any_value1)
(racfgroupid=any_value2)) |
|
Except for the AND filter for connections, complex search filters that include NOT, AND, OR, LE, or GE constructs are not supported.
profilename
, racfgroupid
,
racfid
, and racfuserid
filters can include the wildcards supported
by RACF. These wildcards are '*' which represents any number
of characters, and '%' which represents one character. For example:
(&(racfuserid=usr*)(racfgroupid=*grp))
searches for all the connections
between users whose names begin with usr
and groups whose names end with
grp
.\**
or *\*
in the profilename filter. For example,
profilename=XYZ.\**
searches for all resource profiles that have
XYZ
as the first qualifier. Do not use ** in the filter because this is not a valid
LDAP filter. The result of a search with the filter profilename=**
is:
ldap_search: Protocol error
ldap_search: additional info: R010043 Substring filter for attribute 'profilename' has no value
Although an *
or **
can be part of a resource profile name,
there is no way to indicate in the profilename
filter that an asterisk or double
asterisk is part of the name rather than a wildcard. For example, a search using a filter such as
profilename=ABC*
returns all profile names beginning with ABC
,
including the ABC*
profile (if it exists).
Searching universal groups
Most of the members of a RACF universal group are not contained in the list of members of the group. As a result, a search of the entry for a universal group does not return most of the members of the group. In addition, a search for the connection entry corresponding to a member of a universal group can return different results depending on the connection search filter that is used:- If the
racfuserid
part of the connection search filter does not contain a wildcard, then the connection entry is returned for the specifiedracfuserid
. - If the
racfuserid
part of the connection search filter contains a wildcard, then the connection entry for a user is returned only if the user is explicitly contained in the list of members of the universal group.
Searching the entire RACF database
Most searches that query the entire RACF database, for example, a subtree search from any of the top directory entries except the setopts entry, return only the DN (distinguished name) attribute. You may then obtain more specific data about a particular user, group, connection, or resource on a follow-up search using a specific DN as the search base.
application IDfilters:
krbprincipalname=<any_name>
racflnotesshortname=<any_value>
racfndsusername=<any_value>
racfomvsgroupid=<number>
racfomvsuid=<number>
Because these searches can match only a single RACF user, the
entire user entry is returned in the search results.RACF restriction on amount of output
When processing certain LDAP search requests, SDBM uses the RACF R_admin "run command" interface to issue RACF search commands. The R_admin "run command" interface limits the number of records in its output to 4096. This means that the RACF search command output might be incomplete if you have many users, groups, connections, or resources. See z/OS Security Server RACF Callable Services on the RACF restriction. The restriction only affects those SDBM searches that issue the RACF search command. See Table 1 to determine which SDBM searches are affected.
RACF restriction on amount of input
RACF limits the number of operands that are specified in RACF commands. If the number of operands surpasses this limit, RACF ignores some of the operands and processes the command. Therefore, an SDBM add or modify operation containing many attributes appears to run successfully but some of the attributes might not be set. For more information, see z/OS Security Server RACF Command Language Reference.
LDAP restriction on RACF data
Except for the RACF user password or password phrase envelopes, all field values sent by RACF to LDAP must consist of printable characters. If a RACF field contains unprintable characters, the value returned in the LDAP output does not match the RACF value and is not printable. If a RACF field contains binary zeros, the LDAP output might be truncated. In particular, make sure that the installation DATA field in RACF user and resource profiles does not contain binary zeros or other unprintable characters.