Using extended operations to access Policy Director data

The use of the extended operations (EXOP) backend, the GetDnForUserid and GetPrivileges extended operations, and the IBMLdapProxyControl are deprecated.

The extended operations (EXOP) backend supports two extended operations that open a connection to the target LDAP server to access z/OS® Policy Director data. The IBMLdapProxyControl determines the target LDAP server. To set the target LDAP server when using z/OS Policy Director, use the RACF® PROXY segment. See z/OS Security Server RACF Security Administrator's Guide for more information.

The LDAP extended operations are GetDnForUserid and GetPrivileges. These extended operations are generated when an application on z/OS calls the AZN APIs. When the EXOP backend receives a request for either of these two operations, it uses the required IBMLdapProxyControl to open an LDAP connection to a target LDAP server that has been set up to store Policy Director data. Then, depending on the request, the EXOP backend issues LDAP requests to the target server to retrieve the appropriate data.