Associating LDAP attributes to RACF fields

Each RACF® field in a user, group, connection, and resource profile and in the RACF class options must be associated with an LDAP attribute. The LDAP attribute is used to set the RACF field value in LDAP add and modify operations and to represent the RACF field in LDAP search output. There are two types of RACF fields:
  • The fixed fields are defined by RACF. For each profile, these fields make up all the segments supported by SDBM (including the base segment) except the CSDATA segment.
  • The custom fields are defined by customers. These fields make up the CSDATA segment in the profile.
Each of these types is associated to an LDAP attribute in a different way.

Associating LDAP attributes to RACF fixed fields

The fields defined by RACF for user, group, connection, and resource profiles, and for class options (setropts) are mapped to predefined attributes in the LDAP schema. These LDAP attributes cannot be deleted or modified and the attribute names cannot be changed. The following tables show the RACF fixed field names and the associated LDAP attribute names for user profiles (Table 1), group profiles (Table 2), connection profiles (Table 3), resource profiles (Table 4) and setropts (Table 5). The RACF names in the table are the keywords used to set the field in RACF commands or used by RACF in display output (for display-only fields). Not all names apply to all versions of LDAP and RACF.

Table 1. Mapping of LDAP attribute names to RACF fixed fields (user)
RACF segment name RACF keyword in altuser/adduser/listuser LDAP attribute name
User base ACTIVE or NOACTIVE racfMFAFactorStatus
User base ADDCATEGORY racfSecurityCategoryList
User base ADDPOLICY racfMFAPolicy
User base Multi-value: ADSP, SPECIAL, OPERATIONS, GRPACC, AUDITOR, OIDCARD, UAUDIT, ROAUDIT, or any other one-word values, such as NOEXPIRED and NOOMVS racfAttributes
User base AUTH not displayed by LDAP racfConnectGroupAuthority
User base CLAUTH racfClassName
User base DFLTGRP racfDefaultGroup
User base FACTOR racfMFAFactor
User base GROUP racfConnectGroupName
User base Not modifiable - displayed as LAST-ACCESS racfLastAccess
User base NAME racfProgrammerName
User base Not modifiable - displayed as PASSDATE racfPasswordChangeDate
User base Not modifiable - displayed as PASS-INTERVAL racfPasswordInterval
User base PASSWORD racfPassword
User base password envelope - not modifiable racfPasswordEnvelope
User base Not modifiable - displayed as PASSWORD ENVELOPED racfHavePasswordEnvelope
User base password phrase envelope - not modifiable racfPassPhraseEnvelope
User base PHRASE racfPassPhrase
User base Not modifiable - displayed as PHRASEDATE racfPassPhraseChangeDate
User base Not modifiable - displayed as PHRASE ENVELOPED racfHavePassPhraseEnvelope
User base PWFALLBACK or NOPWFALLBACK racfMFAPWFallback
User base RESUME racfResumeDate
User base REVOKE racfRevokeDate
User base SECLABEL racfSecurityLabel
User base SECLEVEL racfSecurityLevel
User base TAGS racfMFAFactorTags
User base UACC - value is not displayed by LDAP racfConnectGroupUACC
User base WHEN(DAYS()) racfLogonDays
User base WHEN(TIME()) racfLogonTime
User base or Group base Not modifiable - displayed as CREATED racfAuthorizationDate
User base or Group base DATA racfInstallationData
User base or Group base MODEL racfDatasetModel
User base or Group base OWNER racfOwner
CICS® segment OPCLASS racfOperatorClass
CICS segment OPIDENT racfOperatorIdentification
CICS segment OPPRTY racfOperatorPriority
CICS segment RSLKEY racfRslKey
CICS segment TIMEOUT racfTerminalTimeout
CICS segment TSLKEY racfTslKey
CICS segment XRFSOFF racfOperatorReSignon
DCE segment AUTOLOGIN racfDCEAutoLogin
DCE segment DCENAME racfDCEPrincipal
DCE segment HOMECELL racfDCEHomeCell
DCE segment HOMEUUID racfDCEHomeCellUUID
DCE segment UUID racfDCEUUID
DFP segment - common to group or user DATAAPPL SAFDfpDataApplication
DFP segment - common to group or user DATACLAS SAFDfpDataClass
DFP segment - common to group or user MGMTCLAS SAFDfpManagementClass
DFP segment - common to group or user STORCLAS SAFDfpStorageClass
EIM segment LDAPPROF racfLDAPProf
KERB segment ENCRYPT racfEncryptType
KERB segment KERBNAME krbPrincipalName
KERB segment Not modifiable - displayed as KEY FROM racfKerbKeyFrom
KERB segment Not modifiable - displayed as KEY VERSION racfCurKeyVersion
KERB segment MAXTKTLFE maxTicketAge
LANGUAGE segment PRIMARY racfPrimaryLanguage
LANGUAGE segment SECONDARY racfSecondaryLanguage
LNOTES segment SNAME racfLNotesShortName
NDS segment UNAME racfNDSUserName
NETVIEW segment CONSNAME racfDefaultConsoleName
NETVIEW segment CTL racfCTLKeyword
NETVIEW segment DOMAINS racfDomains
NETVIEW segment IC racfNetviewInitialCommand
NETVIEW segment MSGRECVR racfMSGRCVRKeyword
NETVIEW segment NGMFADMN racfNGMFADMKeyword
NETVIEW segment NGMFVSPN racfNGMFVSPNKeyword
NETVIEW segment OPCLASS racfNetviewOperatorClass
User OMVS segment ASSIZEMAX racfOmvsMaximumAddressSpaceSize
User OMVS segment CPUTIMEMAX racfOmvsMaximumCPUTime
User OMVS segment FILEPROCMAX racfOmvsMaximumFilesPerProcess
User OMVS segment HOME racfOmvsHome
User OMVS segment MEMLIMIT racfOmvsMemoryLimit
User OMVS segment MMAPAREAMAX racfOmvsMaximumMemoryMapArea
User OMVS segment PROCUSERMAX racfOmvsMaximumProcessesPerUID
User OMVS segment PROGRAM racfOmvsInitialProgram
User OMVS segment SHARED, AUTOUID racfOmvsUidKeyword
User OMVS segment SHMEMMAX racfOmvsSharedMemoryMaximum
User OMVS segment THREADSMAX racfOmvsMaximumThreadsPerProcess
User OMVS segment UID racfOmvsUid
OPERPARM segment ALTGRP racfAltGroupKeyword
OPERPARM segment AUTH racfAuthKeyword
OPERPARM segment AUTO racfAutoKeyword
OPERPARM segment CMDSYS racfCMDSYSKeyword
OPERPARM segment DOM racfDOMKeyword
OPERPARM segment HC racfHcKeyword
OPERPARM segment INTIDS racfIntidsKeyword
OPERPARM segment KEY racfKEYKeyword
OPERPARM segment LEVEL racfLevelKeyword
OPERPARM segment LOGCMDRESP racfLogCommandResponseKeyword
OPERPARM segment MFORM racfMformKeyword
OPERPARM segment MIGID racfMGIDKeyword
OPERPARM segment MONITOR racfMonitorKeyword
OPERPARM segment MSCOPE racfMscopeSystems
OPERPARM segment ROUTCODE racfRoutcodeKeyword
OPERPARM segment STORAGE racfStorageKeyword
OPERPARM segment UD racfUDKeyword
OPERPARM segment UNKNIDS racfUnknidsKeyword
User OVM segment FSROOT racfOvmFileSystemRoot
User OVM segment HOME racfOvmHome
User OVM segment PROGRAM racfOvmInitialProgram
User OVM segment UID racfOvmUid
PROXY segment BINDDN racfLDAPBindDN
PROXY segment BINDPW - value is not displayed by LDAP racfLDAPBindPw
PROXY segment LDAPHOST racfLDAPHost
TSO segment ACCTNUM SAFAccountNumber
TSO segment COMMAND SAFDefaultCommand
TSO segment DEST SAFDestination
TSO segment HOLDCLASS SAFHoldClass
TSO segment JOBCLASS SAFJobClass
TSO segment MAXSIZE SAFMaximumRegionSize
TSO segment MSGCLASS SAFMessageClass
TSO segment PROC SAFDefaultLoginProc
TSO segment SECLABEL SAFTsoSecurityLabel
TSO segment SIZE SAFLogonSize
TSO segment SYSOUTCLASS SAFDefaultSysoutClass
TSO segment UNIT SAFDefaultUnit
TSO segment USERDATA SAFUserdata
WORKATTR segment WAACCNT racfWorkAttrAccountNumber
WORKATTR segment WAADDR1 racfAddressLine1
WORKATTR segment WAADDR2 racfAddressLine2
WORKATTR segment WAADDR3 racfAddressLine3
WORKATTR segment WAADDR4 racfAddressLine4
WORKATTR segment WABLDG racfBuilding
WORKATTR segment WADEPT racfDepartment
WORKATTR segment WANAME racfWorkAttrUserName
WORKATTR segment WAROOM racfRoom
WORKATTR segment WAEMAIL racfEmail
Table 2. Mapping of LDAP attribute names to RACF fixed fields (group)
RACF segment name RACF keyword in altgroup/addgroup/listgrp LDAP attribute name
Group base SUPGROUP racfSuperiorGroup
Group base Not modifiable - displayed as SUBGROUP(S) racfSubGroupName
Group base TERMUACC racfGroupNoTermUAC
Group base UNIVERSAL racfGroupUniversal
Group base Not modifiable - displayed as USER(S) racfGroupUserids
User base or Group base Not modifiable - displayed as CREATED racfAuthorizationDate
User base or Group base DATA racfInstallationData
User base or Group base MODEL racfDatasetModel
User base or Group base OWNER racfOwner
DFP segment - common to group or user DATAAPPL SAFDfpDataApplication
DFP segment - common to group or user DATACLAS SAFDfpDataClass
DFP segment - common to group or user MGMTCLAS SAFDfpManagementClass
DFP segment - common to group or user STORCLAS SAFDfpStorageClass
Group OMVS segment GID racfOmvsGroupId
Group OMVS segment SHARED, AUTOGID racfOmvsGroupIdKeyword
Group OVM segment GID racfOvmGroupId
Table 3. Mapping of LDAP attribute names to RACF fixed fields (connection)
RACF segment name RACF keyword in connect LDAP attribute name
Connection base Multi-value: ADSP, AUDITOR GRPACC, OPERATIONS, SPECIAL racfConnectAttributes
Connection base AUTHORITY racfConnectGroupAuthority
Connection base Not modifiable - displayed as CONNECT-DATE racfConnectAuthDate
Connection base Not modifiable - displayed as CONNECTS racfConnectCount
Connection base Not modifiable - displayed as LAST-CONNECT racfConnectLastConnect
Connection base OWNER racfConnectOwner
Connection base RESUME racfConnectResumeDate
Connection base REVOKE racfConnectRevokeDate
Connection base UACC racfConnectGroupUACC
Table 4. Mapping of LDAP attribute names to RACF fixed fields (resource)
RACF segment name RACF keyword in rdefine/ralter/permit LDAP attribute name
Resource base Multi-value: SINGLEDSN, TVTOC, WARNING, or any other one-word values, such as NOKERB racfResourceAttributes
Resource base ADDCATEGORY racfSecurityCategoryList
Resource base ADDMEM racfMemberList
Resource base ADDVOL racfVolumeList
Resource base Not modifiable - displayed as ALTER COUNT racfAlterAccessCount
Resource base APPLDATA racfApplData
Resource base AUDIT racfResourceAudit
Resource base Not modifiable - displayed as AUTOMATIC racfAutomatic
Resource base Not modifiable - displayed as CONTROL COUNT racfControlAccessCount
Resource base Not modifiable - displayed as CREATION DATE racfAuthorizationDate
Resource base DATA racfInstallationData
Resource base FCLASS, FGENERIC, FROM, FVOLUME - value is not displayed by LDAP racfCopyProfileFrom
Resource base GLOBALAUDIT racfResourceGlobalAudit
Resource base Not modifiable - displayed as LAST CHANGE DATE racfLastReferenceDate
Resource base LEVEL racfLevel
Resource base NOTIFY racfNotify
Resource base OWNER racfOwner
Resource base Not modifiable - displayed as READ COUNT racfReadAccessCount
Resource base SECLABEL racfSecurityLabel
Resource base SECLEVEL racfSecurityLevel
Resource base TIMEZONE racfTimeZone
Resource base UACC racfUacc
Resource base Not modifiable - displayed as UPDATE COUNT racfUpdateAccessCount
Resource base WHEN(DAYS()) racfLogonDays
Resource base WHEN(TIME()) racfLogonTime
Resource base Any of these PERMIT command keywords: ACCESS, DELETE, FCLASS, FGENERIC, FROM, FVOLUME, ID, RESET, WHEN racfAccessControl
CDTINFO segment CASE racfCdtinfoCase
CDTINFO segment DEFAULTRC racfCdtinfoDefaultRc
CDTINFO segment DEFAULTUACC racfCdtinfoDefaultUacc
CDTINFO segment FIRST racfCdtinfoFirst
CDTINFO segment GENERIC racfCdtinfoGeneric
CDTINFO segment GENLIST racfCdtinfoGenList
CDTINFO segment GROUP racfCdtinfoGroup
CDTINFO segment KEYQUALIFIERS racfCdtinfoKeyQualifiers
CDTINFO segment MACPROCESSING racfCdtinfoMacProcessing
CDTINFO segment MAXLENGTH racfCdtinfoMaxLength
CDTINFO segment MAXLENX racfCdtinfoMaxLengthX
CDTINFO segment MEMBER racfCdtinfoMember
CDTINFO segment OPERATIONS racfCdtinfoOperations
CDTINFO segment OTHER racfCdtinfoOther
CDTINFO segment POSIT racfCdtinfoPosit
CDTINFO segment PROFILESALLOWED racfCdtinfoProfilesAllowed
CDTINFO segment RACLIST racfCdtinfoRacList
CDTINFO segment SECLABELSREQUIRED racfCdtinfoSecLabelsRequired
CDTINFO segment SIGNAL racfCdtinfoSignal
CFDEF segment FIRST racfCfdefFirst
CFDEF segment HELP racfCfdefHelp
CFDEF segment LISTHEAD racfCfdefListHead
CFDEF segment MAXLENGTH racfCfdefMaxLength
CFDEF segment MAXVALUE racfCfdefMaxValue
CFDEF segment MINVALUE racfCfdefMinValue
CFDEF segment MIXED racfCfdefMixed
CFDEF segment OTHER racfCfdefOther
CFDEF segment TYPE racfCfdefType
DLFDATA segment JOBNAMES racfDlfdataJobNames
DLFDATA segment RETAIN racfDlfdataRetain
EIM segment DOMAINDN racfEimDomainDn
EIM segment KERBREGISTRY racfEimKerbRegistry
EIM segment LOCALREGISTRY racfEimLocalRegistry
EIM segment OPTIONS racfEimOptions
EIM segment X509REGISTRY racfEimX509Registry
ICSF segment ASYMUSAGE racfIcsfAsymUsage
ICSF segment SYMCPACFRET racfIcsfSymCpacfRet
ICSF segment SYMCPACFWRAP racfIcsfSymCpacfWrap
ICSF segment SYMEXPORTABLE racfIcsfSymExportable
ICSF segment SYMEXPORTCERTS racfIcsfSymExportCerts
ICSF segment SYMEXPORTKEYS racfIcsfSymExportKeys
ICTX segment DOMAP racfIctxDoMap
ICTX segment MAPPINGTIMEOUT racfIctxMappingTimeOut
ICTX segment MAPREQUIRED racfIctxMapRequired
ICTX segment USEMAP racfIctxUseMap
KERB segment DEFTKTLFE racfKerbDefaultTicketLife
KERB segment ENCRYPT racfEncryptType
KERB segment KERBNAME krbPrincipalName
KERB segment Not modifiable - displayed as KEY VERSION racfCurKeyVersion
KERB segment MAXTKTLFE maxTicketAge
KERB segment MINTKTLFE racfKerbMinTicketLife
KERB segment PASSWORD - value is not displayed by LDAP racfKerbPassword
MFPOLICY segment FACTORS racfMfpolicyFactors
MFPOLICY segment REUSE racfMfpolicyReuse
MFPOLICY segment TOKENTIMEOUT racfMfpolicyTokenTimeout
PROXY segment BINDDN racfLDAPBindDn
PROXY segment BINDPW - value is not displayed by LDAP racfLDAPBindPw
PROXY segment LDAPHOST racfLDAPHost
SESSION segment CONVSEC racfSessionConvSec
SESSION segment INTERVAL racfSessionInterval
SESSION segment LOCK racfSessionLock
SESSION segment SESSKEY racfSessionSessKey
SIGVER segment FAILLOAD racfSigverFailLoad
SIGVER segment SIGAUDIT racfSigverSigAudit
SIGVER segment SIGREQUIRED racfSigverSigRequired
SSIGNON segment KEYENCRYPTED - value is not displayed by LDAP racfSsignonKeyEncrypted
SSIGNON segment

Value is not returned from RACF because of lack of support in the R_admin callable service.

 KEYLABEL racfSsignonkeylabel
SSIGNON segment KEYMASKED - value is not displayed by LDAP racfSsignonKeyMasked
STDATA segment GROUP racfStdataGroup
STDATA segment PRIVILEGED racfStdataPrivileged
STDATA segment TRACE racfStdataTrace
STDATA segment TRUSTED racfStdataTrusted
STDATA segment USER racfStdataUser
Table 5. Mapping of LDAP attribute names to RACF fixed fields (setropts)
RACF segment name RACF keyword in setropts LDAP attribute name
Setropts base Multi-value: REFRESH, WHEN(PROGRAM) racfSetroptsAttributes
Setropts base AUDIT racfAudit
Setropts base CLASSACT racfClassAct
Setropts base GENCMD racfGenCmd
Setropts base GENERIC racfGeneric
Setropts base GENLIST racfGenList
Setropts base GLOBAL racfGlobal
Setropts base LOGOPTIONS(ALWAYS) racfLogOptionsAlways
Setropts base LOGOPTIONS(DEFAULT) racfLogOptionsDefault
Setropts base LOGOPTIONS(FAILURES) racfLogOptionsFailures
Setropts base LOGOPTIONS(NEVER) racfLogOptionsNever
Setropts base LOGOPTIONS(SUCCESSES) racfLogOptionsSuccesses
Setropts base RACLIST racfRacList
Setropts base STATISTICS racfStatistics
Note: The SDBM attribute types that return DN-type values are: racfNotify, racfGroupUserids, racfConnectGroupName, racfDefaultGroup, racfSubGroupName, racfSuperiorGroup, racfConnectOwner, racfOwner, racfStdataUser, racfStdataGroup, racfAudit, racfCdtInfoGroup, racfCdtInfoMember, racfClassAct, racfGenCmd, racfGeneric, racfGenList, racfGlobal, racfLogoptionsAlways, racfLogoptionsDefault, racfLogoptionsFailures, racfLogoptionsNever, racfLogoptionsSuccesses, racfRacList, and racfStatistics.

By default on search responses, these SDBM DN-type attribute values are returned in uppercase format (for example, RACFID=X,PROFILETYPE=USER,CN=SDBM, RACFID=Y,PROFILETYPE=GROUP,CN=SDBM, or PROFILENAME=TMP,PROFILETYPE=FACILITY,CN=SDBM).

However, if the lowest order bit for the decimal bitmask specified in the LDAP_COMPAT_FLAGS environment variable is set to 1 (for example, 1, 3, or 5), these SDBM DN-type attribute values are returned in mixed case format. For example, racfid=X, profiletype=USER,cn=sdbm,racfid=Y,profiletype=GROUP,cn=sdbm, or profilename=TMP,profiletype=FACILITY,cn=sdbm. See LDAP_COMPAT_FLAGS environment variable for more information.

Associating LDAP attributes to RACF custom fields

The user and group profile custom fields in the CSDATA segment are not predefined by RACF, but are defined in RACF by the user. If those fields are to be set and displayed using LDAP, then the user must add an attribute to the LDAP schema to represent each custom field. The attribute is defined in the LDAP schema using an attributeTypes value and an IBMAttributeTypes value. LDAP does not allow more than one attribute to be associated with the same RACF custom field.
  • The attributeTypes value specifies the object identifier (OID), name, syntax, and equality rule of the attribute. The OID and name must not be in use in the schema. The attribute name can be the same as the RACF custom field name, or it can be different. For example, if the custom field name is phone, the attribute name could be phone, or workphone, or anything else that is not already in use. See Attribute types for more information about attributeTypes.
  • The IBMAttributeTypes value must include the RACFFIELD keyword to identify the RACF custom field associated with the attribute. The RACFFIELD value specifies the resource profile name that is used to define the custom field in RACF, with periods (.) changed to dashes (-). For example, if the RACF custom field is defined by the USER.CSDATA.PHONE resource profile, RACFFIELD contains USER-CSDATA-PHONE. RACFFIELD also optionally specifies the type of RACF custom field. The accepted values are char, flag, hex, num, and qchar. If the RACF custom field is defined with TYPE(CHAR) FIRST(ANY) OTHER(ANY), then specify qchar in RACFFIELD to indicate that SDBM should put the attribute value in quotations when creating RACF commands. Otherwise, specify in RACFFIELD the same value as was used for TYPE when defining the custom field in RACF. If a type value is not specified in RACFFIELD, LDAP assumes that the custom field type is char. See Schema introduction for more information about IBMAttributeTypes.
For example, if the phone custom field is defined in the RACF user profile with TYPE(CHAR), the following attribute could be added to the LDAP schema to represent the custom field:
attributetypes: ( 
      phone-OID
      NAME 'phone'
      DESC 'Represents the PHONE field in the RACF user CSDATA segment'
      EQUALITY caseIgnoreMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      SINGLE-VALUE
      USAGE userApplications
      )
ibmattributetypes: (
      phone-OID
      ACCESS-CLASS sensitive
      RACFFIELD ('USER-CSDATA-PHONE' 'char')
      )
Note:
  1. A numeric OID can be used instead of the nonnumeric OID phone-OID.
  2. If the RACF custom field is defined to be case-sensitive (using MIXED(YES)), change the EQUALITY rule to EQUALITY caseExactMatch. Otherwise, compare operations can fail if mixed case values are involved.
  3. The SYNTAX must be IA5 String (1.3.6.1.4.1.1466.115.121.1.26).
  4. All RACF custom fields have only a single value, therefore, SINGLE-VALUE is specified.
  5. The ACCESS-CLASS is 'sensitive' for most RACF attributes, but can be changed to 'critical' if the field contains data to which access is more restrictive. SDBM does not use the ACCESS-CLASS value, but TDBM, LDBM, and CDBM do.

For completeness, add an object class to the LDAP schema to represent the CSDATA segment in each profile. SDBM always assumes that the object class names are racfUserCsdataSegment for the CSDATA segment in the user profile or racfGroupCsdataSegment for the CSDATA segment in the group profile. SDBM adds this object class to a user or group entry if the corresponding RACF profile contains the CSDATA segment.

For example, if the PHONE and SSN custom fields are defined in RACF for the user profile and the LDAP attributes phone and socialSecurityNumber are defined in the LDAP schema to represent the custom fields, the following object class should be added to the LDAP schema:
objectclasses: (
      racfUserCsdataSegment-OID
      NAME 'racfUserCsdataSegment'
      DESC 'Represents the CSDATA segment in a z/OS RACF USER profile'
      SUP top
      AUXILIARY
      MAY ( phone $ socialSecurityNumber )
      )
Note: A numeric OID can be used instead of the nonnumeric OID racfUserCsdataSegment-OID.