OA62693: R010001 INVALID CHARACTER LDAPMODIFY SCHEMA TO ADD RACF CUSTOM FIELD

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• LDAP documents how to add a RACF Custom Field to the LDAP Schema
  so that CSDATA segments can be read via LDAP calls.  But, LDAP's
  standard schema syntax does not allow for some of the special
  characters allowed by RACF; namely,
    "#' (x5B), '$' (x7B), '@' (x7C)
  
  When the RACF field includes one of these characters, the
  ldapmodify will generate an error:
    R010001 Invalid character in descriptor 'USER-CSDATA-$MYFIELD'
  (parse_descr:1088)
  
  KNOWN IMPACT:
  Some customers require local modifications to contain one of
  these characters.  As such they cannot use LDAP to access them.
  
  VERIFICATION STEPS:
  The input ldif file includes something like:
  
  add ibmattributetypes:
      ( racfmyfield-OID ACCESS-CLASS sensitive RACFFIELD
  ('USER-CSDATA-$MYFIELD' 'char') )
  
  The output includes:
  
  ldap_modify: Syntax is not valid
  ldap_modify: additional info: R010001 Invalid character in
  descriptor
  
  ADDITIONAL SYMPTOMS:
  RSNR010001
  GROUP-CSDATA-$MYFIELD
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of IBM Tivoli Directory Server for     *
  *                 z/OS who use SDBM backend with RACF Custom   *
  *                 Fields in user or group profiles.            *
  ****************************************************************
  * PROBLEM DESCRIPTION: Adding a racfFieldName value with       *
  *                      special characters like '#', '$', and   *
  *                      '@' to the LDAP schema entry will fail  *
  *                      with error "Syntax is not valid".       *
  ****************************************************************
  Symbols '#', '$', and '@' are defined as valid characters for
  the RACF Custom Field names but they are not allowed for
  attribute racfFieldName in the LDAP schema.
  

Problem conclusion

• This APAR updates the LDAP schema syntax validation rule to
  support special characters '#', '$', and '@' for attribute
  racfFieldName.
  
  This APAR support was provided through internal defect 430252.
  
  FMIDs affected:
     HRSL430 - IBM TDS on z/OS V2.3
     HRSL440 - IBM TDS on z/OS V2.4
  
  This APAR updates the following parts:
     GLDSRV31
     GLDSRV64
     GLDUTS31
     GLDUTS64
  
  The following documentation updates are made for this APAR:
  
  Title: z/OS IBM Tivoli Directory Server Administration and Use
  for z/OS
  
  Document Number: SC23-6788-XX
  
  Chapter 15 "LDAP directory schema", section "Schema
  introduction", sub-section "LDAP schema attributes", topic
  "IBM attribute types", make the following changes for the
  description of "RACFFIELD qdescrs":
  
  Replace sentence "where name is the name of the associated RACF
  custom field." with "where name is the name of the associated
  RACF custom field, which is 1-8 characters and consists of
  letters (A-Z), numbers (0-9), and special characters (@, #,
  and $)."
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ07752 UJ07753 OA67252

Modules/Macros

• GLDSRV31 GLDSRV64 GLDUTS31 GLDUTS64
  

Fix information

• Fixed component name

  SECURITY SERVR

• Fixed component ID

  565506803

Applicable component levels

• R430 PSY UJ07753

     UP22/02/17 P F202

• R440 PSY UJ07752

     UP22/02/17 P F202

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.