Associating LDAP attributes to RACF fields
- The fixed fields are defined by RACF. For each profile, these fields make up all the segments supported by SDBM (including the base segment) except the CSDATA segment.
- The custom fields are defined by customers. These fields make up the CSDATA segment in the profile.
Associating LDAP attributes to RACF fixed fields
The fields defined by RACF for user, group, connection, and resource profiles, and for class options (setropts) are mapped to predefined attributes in the LDAP schema. These LDAP attributes cannot be deleted or modified and the attribute names cannot be changed. The following tables show the RACF fixed field names and the associated LDAP attribute names for user profiles (Table 1), group profiles (Table 2), connection profiles (Table 3), resource profiles (Table 4) and setropts (Table 5). The RACF names in the table are the keywords used to set the field in RACF commands or used by RACF in display output (for display-only fields). Not all names apply to all versions of LDAP and RACF.
RACF segment name | RACF keyword in altuser/adduser/listuser | LDAP attribute name |
---|---|---|
User base | ACTIVE or NOACTIVE | racfMFAFactorStatus |
User base | ADDCATEGORY | racfSecurityCategoryList |
User base | ADDPOLICY | racfMFAPolicy |
User base | Multi-value: ADSP, SPECIAL, OPERATIONS, GRPACC, AUDITOR, OIDCARD, UAUDIT, ROAUDIT, or any other one-word values, such as NOEXPIRED and NOOMVS | racfAttributes |
User base | AUTH not displayed by LDAP | racfConnectGroupAuthority |
User base | CLAUTH | racfClassName |
User base | DFLTGRP | racfDefaultGroup |
User base | FACTOR | racfMFAFactor |
User base | GROUP | racfConnectGroupName |
User base | Not modifiable - displayed as LAST-ACCESS | racfLastAccess |
User base | NAME | racfProgrammerName |
User base | Not modifiable - displayed as PASSDATE | racfPasswordChangeDate |
User base | Not modifiable - displayed as PASS-INTERVAL | racfPasswordInterval |
User base | PASSWORD | racfPassword |
User base | password envelope - not modifiable | racfPasswordEnvelope |
User base | Not modifiable - displayed as PASSWORD ENVELOPED | racfHavePasswordEnvelope |
User base | password phrase envelope - not modifiable | racfPassPhraseEnvelope |
User base | PHRASE | racfPassPhrase |
User base | Not modifiable - displayed as PHRASEDATE | racfPassPhraseChangeDate |
User base | Not modifiable - displayed as PHRASE ENVELOPED | racfHavePassPhraseEnvelope |
User base | PWFALLBACK or NOPWFALLBACK | racfMFAPWFallback |
User base | RESUME | racfResumeDate |
User base | REVOKE | racfRevokeDate |
User base | SECLABEL | racfSecurityLabel |
User base | SECLEVEL | racfSecurityLevel |
User base | TAGS | racfMFAFactorTags |
User base | UACC - value is not displayed by LDAP | racfConnectGroupUACC |
User base | WHEN(DAYS()) | racfLogonDays |
User base | WHEN(TIME()) | racfLogonTime |
User base or Group base | Not modifiable - displayed as CREATED | racfAuthorizationDate |
User base or Group base | DATA | racfInstallationData |
User base or Group base | MODEL | racfDatasetModel |
User base or Group base | OWNER | racfOwner |
CICS® segment | OPCLASS | racfOperatorClass |
CICS segment | OPIDENT | racfOperatorIdentification |
CICS segment | OPPRTY | racfOperatorPriority |
CICS segment | RSLKEY | racfRslKey |
CICS segment | TIMEOUT | racfTerminalTimeout |
CICS segment | TSLKEY | racfTslKey |
CICS segment | XRFSOFF | racfOperatorReSignon |
DCE segment | AUTOLOGIN | racfDCEAutoLogin |
DCE segment | DCENAME | racfDCEPrincipal |
DCE segment | HOMECELL | racfDCEHomeCell |
DCE segment | HOMEUUID | racfDCEHomeCellUUID |
DCE segment | UUID | racfDCEUUID |
DFP segment - common to group or user | DATAAPPL | SAFDfpDataApplication |
DFP segment - common to group or user | DATACLAS | SAFDfpDataClass |
DFP segment - common to group or user | MGMTCLAS | SAFDfpManagementClass |
DFP segment - common to group or user | STORCLAS | SAFDfpStorageClass |
EIM segment | LDAPPROF | racfLDAPProf |
KERB segment | ENCRYPT | racfEncryptType |
KERB segment | KERBNAME | krbPrincipalName |
KERB segment | Not modifiable - displayed as KEY FROM | racfKerbKeyFrom |
KERB segment | Not modifiable - displayed as KEY VERSION | racfCurKeyVersion |
KERB segment | MAXTKTLFE | maxTicketAge |
LANGUAGE segment | PRIMARY | racfPrimaryLanguage |
LANGUAGE segment | SECONDARY | racfSecondaryLanguage |
LNOTES segment | SNAME | racfLNotesShortName |
NDS segment | UNAME | racfNDSUserName |
NETVIEW segment | CONSNAME | racfDefaultConsoleName |
NETVIEW segment | CTL | racfCTLKeyword |
NETVIEW segment | DOMAINS | racfDomains |
NETVIEW segment | IC | racfNetviewInitialCommand |
NETVIEW segment | MSGRECVR | racfMSGRCVRKeyword |
NETVIEW segment | NGMFADMN | racfNGMFADMKeyword |
NETVIEW segment | NGMFVSPN | racfNGMFVSPNKeyword |
NETVIEW segment | OPCLASS | racfNetviewOperatorClass |
User OMVS segment | ASSIZEMAX | racfOmvsMaximumAddressSpaceSize |
User OMVS segment | CPUTIMEMAX | racfOmvsMaximumCPUTime |
User OMVS segment | FILEPROCMAX | racfOmvsMaximumFilesPerProcess |
User OMVS segment | HOME | racfOmvsHome |
User OMVS segment | MEMLIMIT | racfOmvsMemoryLimit |
User OMVS segment | MMAPAREAMAX | racfOmvsMaximumMemoryMapArea |
User OMVS segment | PROCUSERMAX | racfOmvsMaximumProcessesPerUID |
User OMVS segment | PROGRAM | racfOmvsInitialProgram |
User OMVS segment | SHARED, AUTOUID | racfOmvsUidKeyword |
User OMVS segment | SHMEMMAX | racfOmvsSharedMemoryMaximum |
User OMVS segment | THREADSMAX | racfOmvsMaximumThreadsPerProcess |
User OMVS segment | UID | racfOmvsUid |
OPERPARM segment | ALTGRP | racfAltGroupKeyword |
OPERPARM segment | AUTH | racfAuthKeyword |
OPERPARM segment | AUTO | racfAutoKeyword |
OPERPARM segment | CMDSYS | racfCMDSYSKeyword |
OPERPARM segment | DOM | racfDOMKeyword |
OPERPARM segment | HC | racfHcKeyword |
OPERPARM segment | INTIDS | racfIntidsKeyword |
OPERPARM segment | KEY | racfKEYKeyword |
OPERPARM segment | LEVEL | racfLevelKeyword |
OPERPARM segment | LOGCMDRESP | racfLogCommandResponseKeyword |
OPERPARM segment | MFORM | racfMformKeyword |
OPERPARM segment | MIGID | racfMGIDKeyword |
OPERPARM segment | MONITOR | racfMonitorKeyword |
OPERPARM segment | MSCOPE | racfMscopeSystems |
OPERPARM segment | ROUTCODE | racfRoutcodeKeyword |
OPERPARM segment | STORAGE | racfStorageKeyword |
OPERPARM segment | UD | racfUDKeyword |
OPERPARM segment | UNKNIDS | racfUnknidsKeyword |
User OVM segment | FSROOT | racfOvmFileSystemRoot |
User OVM segment | HOME | racfOvmHome |
User OVM segment | PROGRAM | racfOvmInitialProgram |
User OVM segment | UID | racfOvmUid |
PROXY segment | BINDDN | racfLDAPBindDN |
PROXY segment | BINDPW - value is not displayed by LDAP | racfLDAPBindPw |
PROXY segment | LDAPHOST | racfLDAPHost |
TSO segment | ACCTNUM | SAFAccountNumber |
TSO segment | COMMAND | SAFDefaultCommand |
TSO segment | DEST | SAFDestination |
TSO segment | HOLDCLASS | SAFHoldClass |
TSO segment | JOBCLASS | SAFJobClass |
TSO segment | MAXSIZE | SAFMaximumRegionSize |
TSO segment | MSGCLASS | SAFMessageClass |
TSO segment | PROC | SAFDefaultLoginProc |
TSO segment | SECLABEL | SAFTsoSecurityLabel |
TSO segment | SIZE | SAFLogonSize |
TSO segment | SYSOUTCLASS | SAFDefaultSysoutClass |
TSO segment | UNIT | SAFDefaultUnit |
TSO segment | USERDATA | SAFUserdata |
WORKATTR segment | WAACCNT | racfWorkAttrAccountNumber |
WORKATTR segment | WAADDR1 | racfAddressLine1 |
WORKATTR segment | WAADDR2 | racfAddressLine2 |
WORKATTR segment | WAADDR3 | racfAddressLine3 |
WORKATTR segment | WAADDR4 | racfAddressLine4 |
WORKATTR segment | WABLDG | racfBuilding |
WORKATTR segment | WADEPT | racfDepartment |
WORKATTR segment | WANAME | racfWorkAttrUserName |
WORKATTR segment | WAROOM | racfRoom |
WORKATTR segment | WAEMAIL | racfEmail |
RACF segment name | RACF keyword in altgroup/addgroup/listgrp | LDAP attribute name |
---|---|---|
Group base | SUPGROUP | racfSuperiorGroup |
Group base | Not modifiable - displayed as SUBGROUP(S) | racfSubGroupName |
Group base | TERMUACC | racfGroupNoTermUAC |
Group base | UNIVERSAL | racfGroupUniversal |
Group base | Not modifiable - displayed as USER(S) | racfGroupUserids |
User base or Group base | Not modifiable - displayed as CREATED | racfAuthorizationDate |
User base or Group base | DATA | racfInstallationData |
User base or Group base | MODEL | racfDatasetModel |
User base or Group base | OWNER | racfOwner |
DFP segment - common to group or user | DATAAPPL | SAFDfpDataApplication |
DFP segment - common to group or user | DATACLAS | SAFDfpDataClass |
DFP segment - common to group or user | MGMTCLAS | SAFDfpManagementClass |
DFP segment - common to group or user | STORCLAS | SAFDfpStorageClass |
Group OMVS segment | GID | racfOmvsGroupId |
Group OMVS segment | SHARED, AUTOGID | racfOmvsGroupIdKeyword |
Group OVM segment | GID | racfOvmGroupId |
RACF segment name | RACF keyword in connect | LDAP attribute name |
---|---|---|
Connection base | Multi-value: ADSP, AUDITOR GRPACC, OPERATIONS, SPECIAL | racfConnectAttributes |
Connection base | AUTHORITY | racfConnectGroupAuthority |
Connection base | Not modifiable - displayed as CONNECT-DATE | racfConnectAuthDate |
Connection base | Not modifiable - displayed as CONNECTS | racfConnectCount |
Connection base | Not modifiable - displayed as LAST-CONNECT | racfConnectLastConnect |
Connection base | OWNER | racfConnectOwner |
Connection base | RESUME | racfConnectResumeDate |
Connection base | REVOKE | racfConnectRevokeDate |
Connection base | UACC | racfConnectGroupUACC |
RACF segment name | RACF keyword in rdefine/ralter/permit | LDAP attribute name |
---|---|---|
Resource base | Multi-value: SINGLEDSN, TVTOC, WARNING, or any other one-word values, such as NOKERB | racfResourceAttributes |
Resource base | ADDCATEGORY | racfSecurityCategoryList |
Resource base | ADDMEM | racfMemberList |
Resource base | ADDVOL | racfVolumeList |
Resource base | Not modifiable - displayed as ALTER COUNT | racfAlterAccessCount |
Resource base | APPLDATA | racfApplData |
Resource base | AUDIT | racfResourceAudit |
Resource base | Not modifiable - displayed as AUTOMATIC | racfAutomatic |
Resource base | Not modifiable - displayed as CONTROL COUNT | racfControlAccessCount |
Resource base | Not modifiable - displayed as CREATION DATE | racfAuthorizationDate |
Resource base | DATA | racfInstallationData |
Resource base | FCLASS, FGENERIC, FROM, FVOLUME - value is not displayed by LDAP | racfCopyProfileFrom |
Resource base | GLOBALAUDIT | racfResourceGlobalAudit |
Resource base | Not modifiable - displayed as LAST CHANGE DATE | racfLastReferenceDate |
Resource base | LEVEL | racfLevel |
Resource base | NOTIFY | racfNotify |
Resource base | OWNER | racfOwner |
Resource base | Not modifiable - displayed as READ COUNT | racfReadAccessCount |
Resource base | SECLABEL | racfSecurityLabel |
Resource base | SECLEVEL | racfSecurityLevel |
Resource base | TIMEZONE | racfTimeZone |
Resource base | UACC | racfUacc |
Resource base | Not modifiable - displayed as UPDATE COUNT | racfUpdateAccessCount |
Resource base | WHEN(DAYS()) | racfLogonDays |
Resource base | WHEN(TIME()) | racfLogonTime |
Resource base | Any of these PERMIT command keywords: ACCESS, DELETE, FCLASS, FGENERIC, FROM, FVOLUME, ID, RESET, WHEN | racfAccessControl |
CDTINFO segment | CASE | racfCdtinfoCase |
CDTINFO segment | DEFAULTRC | racfCdtinfoDefaultRc |
CDTINFO segment | DEFAULTUACC | racfCdtinfoDefaultUacc |
CDTINFO segment | FIRST | racfCdtinfoFirst |
CDTINFO segment | GENERIC | racfCdtinfoGeneric |
CDTINFO segment | GENLIST | racfCdtinfoGenList |
CDTINFO segment | GROUP | racfCdtinfoGroup |
CDTINFO segment | KEYQUALIFIERS | racfCdtinfoKeyQualifiers |
CDTINFO segment | MACPROCESSING | racfCdtinfoMacProcessing |
CDTINFO segment | MAXLENGTH | racfCdtinfoMaxLength |
CDTINFO segment | MAXLENX | racfCdtinfoMaxLengthX |
CDTINFO segment | MEMBER | racfCdtinfoMember |
CDTINFO segment | OPERATIONS | racfCdtinfoOperations |
CDTINFO segment | OTHER | racfCdtinfoOther |
CDTINFO segment | POSIT | racfCdtinfoPosit |
CDTINFO segment | PROFILESALLOWED | racfCdtinfoProfilesAllowed |
CDTINFO segment | RACLIST | racfCdtinfoRacList |
CDTINFO segment | SECLABELSREQUIRED | racfCdtinfoSecLabelsRequired |
CDTINFO segment | SIGNAL | racfCdtinfoSignal |
CFDEF segment | FIRST | racfCfdefFirst |
CFDEF segment | HELP | racfCfdefHelp |
CFDEF segment | LISTHEAD | racfCfdefListHead |
CFDEF segment | MAXLENGTH | racfCfdefMaxLength |
CFDEF segment | MAXVALUE | racfCfdefMaxValue |
CFDEF segment | MINVALUE | racfCfdefMinValue |
CFDEF segment | MIXED | racfCfdefMixed |
CFDEF segment | OTHER | racfCfdefOther |
CFDEF segment | TYPE | racfCfdefType |
DLFDATA segment | JOBNAMES | racfDlfdataJobNames |
DLFDATA segment | RETAIN | racfDlfdataRetain |
EIM segment | DOMAINDN | racfEimDomainDn |
EIM segment | KERBREGISTRY | racfEimKerbRegistry |
EIM segment | LOCALREGISTRY | racfEimLocalRegistry |
EIM segment | OPTIONS | racfEimOptions |
EIM segment | X509REGISTRY | racfEimX509Registry |
ICSF segment | ASYMUSAGE | racfIcsfAsymUsage |
ICSF segment | SYMCPACFRET | racfIcsfSymCpacfRet |
ICSF segment | SYMCPACFWRAP | racfIcsfSymCpacfWrap |
ICSF segment | SYMEXPORTABLE | racfIcsfSymExportable |
ICSF segment | SYMEXPORTCERTS | racfIcsfSymExportCerts |
ICSF segment | SYMEXPORTKEYS | racfIcsfSymExportKeys |
ICTX segment | DOMAP | racfIctxDoMap |
ICTX segment | MAPPINGTIMEOUT | racfIctxMappingTimeOut |
ICTX segment | MAPREQUIRED | racfIctxMapRequired |
ICTX segment | USEMAP | racfIctxUseMap |
KERB segment | DEFTKTLFE | racfKerbDefaultTicketLife |
KERB segment | ENCRYPT | racfEncryptType |
KERB segment | KERBNAME | krbPrincipalName |
KERB segment | Not modifiable - displayed as KEY VERSION | racfCurKeyVersion |
KERB segment | MAXTKTLFE | maxTicketAge |
KERB segment | MINTKTLFE | racfKerbMinTicketLife |
KERB segment | PASSWORD - value is not displayed by LDAP | racfKerbPassword |
MFPOLICY segment | FACTORS | racfMfpolicyFactors |
MFPOLICY segment | REUSE | racfMfpolicyReuse |
MFPOLICY segment | TOKENTIMEOUT | racfMfpolicyTokenTimeout |
PROXY segment | BINDDN | racfLDAPBindDn |
PROXY segment | BINDPW - value is not displayed by LDAP | racfLDAPBindPw |
PROXY segment | LDAPHOST | racfLDAPHost |
SESSION segment | CONVSEC | racfSessionConvSec |
SESSION segment | INTERVAL | racfSessionInterval |
SESSION segment | LOCK | racfSessionLock |
SESSION segment | SESSKEY | racfSessionSessKey |
SIGVER segment | FAILLOAD | racfSigverFailLoad |
SIGVER segment | SIGAUDIT | racfSigverSigAudit |
SIGVER segment | SIGREQUIRED | racfSigverSigRequired |
SSIGNON segment | KEYENCRYPTED - value is not displayed by LDAP | racfSsignonKeyEncrypted |
SSIGNON segment Value is not returned from RACF because of lack of support in the R_admin callable service. |
KEYLABEL | racfSsignonkeylabel |
SSIGNON segment | KEYMASKED - value is not displayed by LDAP | racfSsignonKeyMasked |
STDATA segment | GROUP | racfStdataGroup |
STDATA segment | PRIVILEGED | racfStdataPrivileged |
STDATA segment | TRACE | racfStdataTrace |
STDATA segment | TRUSTED | racfStdataTrusted |
STDATA segment | USER | racfStdataUser |
RACF segment name | RACF keyword in setropts | LDAP attribute name |
---|---|---|
Setropts base | Multi-value: REFRESH, WHEN(PROGRAM) | racfSetroptsAttributes |
Setropts base | AUDIT | racfAudit |
Setropts base | CLASSACT | racfClassAct |
Setropts base | GENCMD | racfGenCmd |
Setropts base | GENERIC | racfGeneric |
Setropts base | GENLIST | racfGenList |
Setropts base | GLOBAL | racfGlobal |
Setropts base | LOGOPTIONS(ALWAYS) | racfLogOptionsAlways |
Setropts base | LOGOPTIONS(DEFAULT) | racfLogOptionsDefault |
Setropts base | LOGOPTIONS(FAILURES) | racfLogOptionsFailures |
Setropts base | LOGOPTIONS(NEVER) | racfLogOptionsNever |
Setropts base | LOGOPTIONS(SUCCESSES) | racfLogOptionsSuccesses |
Setropts base | RACLIST | racfRacList |
Setropts base | STATISTICS | racfStatistics |
racfNotify
,
racfGroupUserids
, racfConnectGroupName
,
racfDefaultGroup
, racfSubGroupName
,
racfSuperiorGroup,
racfConnectOwner
, racfOwner
, racfStdataUser
,
racfStdataGroup
, racfAudit
,
racfCdtInfoGroup
, racfCdtInfoMember
,
racfClassAct
, racfGenCmd
, racfGeneric
,
racfGenList
, racfGlobal
, racfLogoptionsAlways
,
racfLogoptionsDefault
, racfLogoptionsFailures
,
racfLogoptionsNever
, racfLogoptionsSuccesses
,
racfRacList
, and racfStatistics
.By default on search responses, these SDBM DN-type attribute values are returned in uppercase format (for example, RACFID=X,PROFILETYPE=USER,CN=SDBM, RACFID=Y,PROFILETYPE=GROUP,CN=SDBM, or PROFILENAME=TMP,PROFILETYPE=FACILITY,CN=SDBM).
However, if the lowest order bit for the
decimal bitmask specified in the LDAP_COMPAT_FLAGS environment variable is set to 1 (for example, 1,
3, or 5), these SDBM DN-type attribute values are returned in mixed case format. For example,
racfid=X, profiletype=USER,cn=sdbm,racfid=Y,profiletype=GROUP,cn=sdbm
, or
profilename=TMP,profiletype=FACILITY,cn=sdbm
. See LDAP_COMPAT_FLAGS environment variable for
more information.
Associating LDAP attributes to RACF custom fields
- The attributeTypes value specifies the object identifier
(OID), name, syntax, and equality rule of the attribute. The OID
and name must not be in use in the schema. The attribute name can
be the same as the RACF custom
field name, or it can be different. For example, if the custom field
name is
phone
, the attribute name could bephone
, orworkphone
, or anything else that is not already in use. See Attribute types for more information about attributeTypes. - The IBMAttributeTypes value must include the RACFFIELD keyword
to identify the RACF custom
field associated with the attribute. The RACFFIELD value specifies
the resource profile name that is used to define the custom field
in RACF, with periods (.) changed
to dashes (-). For example, if the RACF custom
field is defined by the
USER.CSDATA.PHONE
resource profile, RACFFIELD containsUSER-CSDATA-PHONE
. RACFFIELD also optionally specifies the type of RACF custom field. The accepted values are char, flag, hex, num, and qchar. If the RACF custom field is defined withTYPE(CHAR) FIRST(ANY) OTHER(ANY)
, then specify qchar in RACFFIELD to indicate that SDBM should put the attribute value in quotations when creating RACF commands. Otherwise, specify in RACFFIELD the same value as was used forTYPE
when defining the custom field in RACF. If a type value is not specified in RACFFIELD, LDAP assumes that the custom field type is char. See Schema introduction for more information about IBMAttributeTypes.
phone
custom field is defined
in the RACF user profile with TYPE(CHAR)
,
the following attribute could be added to the LDAP schema to represent
the custom field:attributetypes: (
phone-OID
NAME 'phone'
DESC 'Represents the PHONE field in the RACF user CSDATA segment'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications
)
ibmattributetypes: (
phone-OID
ACCESS-CLASS sensitive
RACFFIELD ('USER-CSDATA-PHONE' 'char')
)
- A numeric OID can be used instead of the nonnumeric OID
phone-OID
. - If the RACF custom field
is defined to be case-sensitive (using
MIXED(YES)
), change the EQUALITY rule toEQUALITY caseExactMatch
. Otherwise, compare operations can fail if mixed case values are involved. - The SYNTAX must be IA5 String (
1.3.6.1.4.1.1466.115.121.1.26
). - All RACF custom fields
have only a single value, therefore,
SINGLE-VALUE
is specified. - The ACCESS-CLASS is 'sensitive' for most RACF attributes, but can be changed to 'critical' if the field contains data to which access is more restrictive. SDBM does not use the ACCESS-CLASS value, but TDBM, LDBM, and CDBM do.
For completeness, add an object class to the LDAP schema to represent the CSDATA segment in each profile. SDBM always assumes that the object class names are racfUserCsdataSegment for the CSDATA segment in the user profile or racfGroupCsdataSegment for the CSDATA segment in the group profile. SDBM adds this object class to a user or group entry if the corresponding RACF profile contains the CSDATA segment.
PHONE
and SSN
custom fields are defined in
RACF for the user profile and the LDAP attributes
phone
and socialSecurityNumber
are defined in the LDAP schema to
represent the custom fields, the following object class should be added to the LDAP
schema:objectclasses: (
racfUserCsdataSegment-OID
NAME 'racfUserCsdataSegment'
DESC 'Represents the CSDATA segment in a z/OS RACF USER profile'
SUP top
AUXILIARY
MAY ( phone $ socialSecurityNumber )
)
racfUserCsdataSegment-OID
.