Requirements for a user ID that runs the LDAP server
Any user ID can be used to run the LDAP server. The examples in
this topic use a user ID of LDAPSRV
in the commands
provided.
Note if the UID of the user ID running the LDAP server is not zero, all console messages that are produced by the LDAP server are accompanied by a BPXM023I message identifying the user writing to the console.
The user ID performing the RACF® commands in the following examples requires RACF SPECIAL authority.
You can use the RACF commands in the following example to define the user ID that runs the LDAP server (substitute appropriate values for UID and GID).
ADDGROUP LDAPGRP SUPGROUP(SYS1) OMVS(GID(2))
ADDUSER LDAPSRV DFLTGRP(LDAPGRP) OMVS(UID(1) PROGRAM('/bin/sh'))
The following RACF commands give the LDAP server access to the Workload Manager (WLM). This is required when starting the LDAP server even if WLM is not being used to classify or prioritize work within the LDAP server.
RDEFINE FACILITY BPX.WLMSERVER UACC(NONE)
PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
The following RACF commands
are entered if the BPX.SERVER
profile is defined.
PERMIT BPX.SERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
- Grant control access to the SUPERUSER.FILESYS profile in the UNIXPRIV class. You might not want
control access to the SUPERUSER.FILESYS profile because it grants the LDAP server user ID access to
all files and directories in z/OS®
UNIX System Services. See z/OS UNIX System Services Planning for more information. Issue
these RACF commands to grant control access to
SUPERUSER.FILESYS:
RDEFINE UNIXPRIV SUPERUSER.FILESYS UACC(NONE) PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(CONTROL) SETROPTS CLASSACT(UNIXPRIV) SETROPTS RACLIST(UNIXPRIV) REFRESH
- Grant read access to the SUPERUSER.FILESYS.CHOWN and SUPERUSER.FILESYS.CHANGEPERMS
profiles in the UNIXPRIV class by issuing these RACF commands:
RDEFINE UNIXPRIV SUPERUSER.FILESYS.CHOWN UACC(NONE) PERMIT SUPERUSER.FILESYS.CHOWN CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(READ) RDEFINE UNIXPRIV SUPERUSER.FILESYS.CHANGEPERMS UACC(NONE) PERMIT SUPERUSER.FILESYS.CHANGEPERMS CLASS(UNIXPRIV) ID(LDAPSRV) ACCESS(READ) SETROPTS CLASSACT(UNIXPRIV) SETROPTS RACLIST(UNIXPRIV) REFRESH
If you are going to set up more than one LDAP server on the same system, a separate user ID is used for each one.
Additional setup for user ID that runs the LDAP server
- Indicates the UID and GIDs for the LDAP server user ID.
- Indicates which file or directory it does not own.
- Indicates the UID and GID of the file or directory.
GLD1342E Unwilling to open file or directory '/var/ldap/schema':
File or directory UID 8, UID of program 0, GID of file or
directory 8, GIDs of program (10, 0, 1, 110011).
In the
message text:- The file or directory is "/var/ldap/schema". An "ls -n" of
this path shows that it is a directory.
- The owning UID of the directory is 8.
- The owning GID of the directory is 8.
- The UID of the program is 0. Therefore, it does not own the
directory.
- The GIDs of the program are 10, 0, 1 and 110011. Therefore, it
is not in a group that owns the directory.
If the server has other file-based backends such as CDBM, LDBM,
or file-based GDBM, then an "ls -n
" of the backend
directory (as specified in the databaseDirectory option in
the LDAP server configuration file) shows the UID and GID of the files
and directories. All of the backend files and directories must be
owned by the user ID that runs the LDAP server, or be owned by one
of the user ID's groups (see Requirements for a user ID that runs the LDAP server for
the example with the group "LDAPGRP").
These requirements also apply to the ds2ldif and ldif2ds utilities. The ds2ldif utility accesses the schema directory and file, and the directory and files for the backend that is being unloaded. The ldif2ds utility accesses the schema directory and file, and the CDBM backend directory and files. Therefore, the user ID that runs either utility must be in the group that owns these directories and the files within these directories.
Additional setup for LDAP console commands
MODIFY DSSRV,DEBUGSECRET ON
To issue the command successfully, the operator ID must have READ permission to the profile
Domain_Name
.MODIFY.DEBUGSECRET in the RACF supplied LDAP general resource class.
Domain_Name
is the value specified in the ibm-slapdSAFSecurityDomain
attribute in the cn=configuration entry. The default value for Domain_Name
is GLDSEC. See Customizing the LDAP server configuration for more information.
SETROPTS GENERIC(LDAP)
RDEFINE LDAP GLDSEC.MODIFY.DEBUGSECRET UACC(NONE)
SETROPTS CLASSACT(LDAP)
PERMIT GLDSEC.MODIFY.DEBUGSECRET CLASS(LDAP) ID(pADMIN) ACCESS(READ)
Additional setup when using SDBM
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
The SDBM backend also supports the RACF functions that search for users and groups with a given UID or GID value, control sharing user UID and group GID values, and retrieve a user password or password phrase envelope. Usage of these functions requires additional RACF configuration and profiles, as described in the RACF documentation.
Additional setup for RACF PROXY segment and SDBM
The SDBM backend supports the PROXY segment within the RACF user profile. If you intend to use SDBM to set the BINDPW value in the PROXY segment, RACF requires that you create KEYSMSTR class profile LDAP.BINDPW.KEY with the SSIGNON segment.
- To create the LDAP.BINDPW.KEY profile in the KEYSMSTR class, use
the KEYMASKED sub-operand if no cryptographic product is installed
on your system:
RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYMASKED(key-value))
Or, use the KEYENCRYPTED sub-operand if a cryptographic product is installed:
RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(key-value))
key-value is a Secured Sign-on Application key and must be specified as a string of 16 hexadecimal characters.
- Then, activate the KEYSMSTR class:
SETROPTS CLASSACT(KEYSMSTR)
See z/OS Security Server RACF Command Language Reference for details on using these RACF commands and z/OS Security Server RACF Security Administrator's Guide for information about creating and using profiles.
Additional setup for sysplex
LDAP
, then issue the following RACF commands:RDEFINE FACILITY GLD.XCF.GROUP.LDAP UACC(NONE)
PERMIT GLD.XCF.GROUP.LDAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Defining the Kerberos identity
If you plan to enable Kerberos support you must associate a Kerberos identity with the server’s user ID and generate a Kerberos key. The following RACF command must be entered:
ALTUSER LDAPSRV PASSWORD(password) NOEXPIRED KERB(KERBNAME(ldap_prefix/hostname))
ALTUSER LDAPSRV NOPASSWORD
Note ldap_prefix must be either ldap
or LDAP
.
Use ldap
unless compatibility with earlier z/OS LDAP clients is needed. Also,
the hostname must be the primary host name for the system in
DNS.
If the LDAP server is located on the same machine as the Key Distribution Center (KDC), a key table is not necessary to start the LDAP server. However, the user ID that starts the server must have at least read access to IRR.RUSERMAP in the FACILITY class when the KRB5_SERVER_KEYTAB environment variable in the security server configuration file (krb5.conf) is set to 1. This can be done by issuing the following RACF commands:
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
If the LDAP server is not running on the same machine as the Kerberos KDC server, then a key table is required. The kadmin command can be used to create or update the key table in a directory that can be accessed by the LDAP server. The kadmin command must be used to get the KDC to generate the key table when the KDC does not reside on z/OS. However, the keytab command can be used to add the principal to the key table if the principal's password is known. The name of the key table is then specified in the krbKeytab option in the LDAP server configuration file.
See z/OS Integrated Security Services Network Authentication Service Administration for more information about configuring the KDC.
Additional setup for generating audit records
RDEFINE FACILITY IRR.RAUDITX UACC(NONE)
PERMIT IRR.RAUDITX CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Additional setup for using securityLabel option
RDEFINE FACILITY BPX.POE UACC(NONE)
PERMIT BPX.POE CLASS(FACILITY) ID(LDAPSRV) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
See z/OS UNIX System Services Planning for more information about setting up this profile. For other LDAP server considerations in a multilevel security environment, see z/OS Planning for Multilevel Security and the Common Criteria.
Additional setup when defining administrative roles in RACF
RDEFINE FACILITY BPX.SERVER UACC(NONE)
PERMIT BPX.SERVER CLASS(FACILITY) ID(LDAPSRV) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS CLASSACT(LDAP)
Additional setup for using SHA-2 or Salted SHA-2 hashing
RDEFINE CSFSERV CSFOWH UACC(NONE)
PERMIT CSFOWH CLASS(CSFSERV) ID(LDAPSRV) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH