One minute MVS. Getting started with LDAP on ADCD.

LDAP is a standard protocol for accessing directory information over TCP/IP. For example the command

ldapsearch -h -D “cn=Admin, o=Your Company” -w secret -b “o=Your Company” “(objectclass=*)” aclEntry

This sends a request to IP address with userid cn=… and password “secret”, for information under the subtree of “o=Your Company” and requests is sends back information on any ACL entries.

z/OS implementation

LDAP on z/OS is also know as Tivoli Directory Server.

It can run with different backend databased from DB2 to a files in a USS directory. It can interface to RACF so you can use query userid and group information from RACF through LDAP.


You need to configure a schema of what fields there are, and the relationship. For example, for an organisation telephone directory you might have

dn: cn=LDAP Administrator, o=Your Company
objectclass: organizationalPerson
cn: LDAP Administrator
sn: Administrator
userPassword: ********


  • dn: cn=LDAP Administrator, o=Your Company This is the internal name of the object, and what part of the data tree it belongs to “o=Your Company
  • objectclass: organizationalPerson defines the object type
  • cn: LDAP Administrator This is the common name ( nick name) of the object
  • sn: Administrator This is the surname of the person
  • userPassword: ******** This is the user’s password. It has been defined that the value is not displayed
  • phoneNumber:1234567 This has been defined so that is can only take numbers and ‘-‘.

You can define your own attributes and properties. You just need to update the schema.

Which database is used?

A sample LDAP configuration might contain

suffix “o=Your Company”
databaseDirectory /var/ldap/ldbm

  • database LDBM says there is a database in a USS directory
  • GLDBLD31/GLDBLD64 are the names of the interface routines to use.
  • suffix “o=Your Company” is the root of the subtree in this database
  • databaseDirectory /var/ldap/ldbm is the name of the USS directory

You can configure LDAP to say for these names(o=someoneElsesCompany) go to another LDAP with at this address.

If I use a query like ldapsearch -h -D “cn=LDAP Administrator, o=Your Company” -w secret -b “o=Your Company” “(objectclass=*)” aclEntry…. the -D cn=LDAP Administrator, o=Your Company” says look for a userid with the given data in the o=Your Company subtree. With the above definitions it would look in the the USS file system under /var/ldap/ldbm, for a userid cn=LDAP Administrator, o=Your Company.

Configuring an LDAP server on ADCD.

ADCD is a preconfigured system which can on on zPDT and ZD&T. These provide a system 390 emulator. This system comes with a lot of software installed, and some subsystems such as z/OS, MQ, DB2, IMS, CICS and z/OSMF pre configured.

The software for LDAP(Tivoli Directory Server) is installed but not configured. The documentation is extensive, and the configuration file is very large (with lots of comments). You run a configuration script which produces some files.

However for a simple configuration you only need a few files to run.

Some of these files do not work – for example they try to define a userid with an existing Unix uid.

I’ve taken the updated files and put them on git hub.

The TDS documentation is here.

If you get into a mess you can just delete the /var/ldap/ldbm directory and start again!

One thought on “One minute MVS. Getting started with LDAP on ADCD.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s