LDAP is a standard protocol for accessing directory information over TCP/IP. For example the command
ldapsearch -h 127.0.0.1 -D “cn=Admin, o=Your Company” -w secret -b “o=Your Company” “(objectclass=*)” aclEntry
This sends a request to IP address 127.0.0.1 with userid cn=… and password “secret”, for information under the subtree of “o=Your Company” and requests is sends back information on any ACL entries.
LDAP on z/OS is also know as Tivoli Directory Server.
It can run with different backend databased from DB2 to a files in a USS directory. It can interface to RACF so you can use query userid and group information from RACF through LDAP.
You need to configure a schema of what fields there are, and the relationship. For example, for an organisation telephone directory you might have
dn: cn=LDAP Administrator, o=Your Company
cn: LDAP Administrator
- dn: cn=LDAP Administrator, o=Your Company This is the internal name of the object, and what part of the data tree it belongs to “o=Your Company“
- objectclass: organizationalPerson defines the object type
- cn: LDAP Administrator This is the common name ( nick name) of the object
- sn: Administrator This is the surname of the person
- userPassword: ******** This is the user’s password. It has been defined that the value is not displayed
- phoneNumber:1234567 This has been defined so that is can only take numbers and ‘-‘.
You can define your own attributes and properties. You just need to update the schema.
Which database is used?
A sample LDAP configuration might contain
database LDBM GLDBLD31/GLDBLD64
suffix “o=Your Company”
- database LDBM says there is a database in a USS directory
- GLDBLD31/GLDBLD64 are the names of the interface routines to use.
- suffix “o=Your Company” is the root of the subtree in this database
- databaseDirectory /var/ldap/ldbm is the name of the USS directory
You can configure LDAP to say for these names(o=someoneElsesCompany) go to another LDAP with at this address.
If I use a query like ldapsearch -h 127.0.0.1 -D “cn=LDAP Administrator, o=Your Company” -w secret -b “o=Your Company” “(objectclass=*)” aclEntry…. the -D cn=LDAP Administrator, o=Your Company” says look for a userid with the given data in the o=Your Company subtree. With the above definitions it would look in the the USS file system under /var/ldap/ldbm, for a userid cn=LDAP Administrator, o=Your Company.
Configuring an LDAP server on ADCD.
ADCD is a preconfigured system which can on on zPDT and ZD&T. These provide a system 390 emulator. This system comes with a lot of software installed, and some subsystems such as z/OS, MQ, DB2, IMS, CICS and z/OSMF pre configured.
The software for LDAP(Tivoli Directory Server) is installed but not configured. The documentation is extensive, and the configuration file is very large (with lots of comments). You run a configuration script which produces some files.
However for a simple configuration you only need a few files to run.
Some of these files do not work – for example they try to define a userid with an existing Unix uid.
I’ve taken the updated files and put them on git hub.
The TDS documentation is here.
If you get into a mess you can just delete the /var/ldap/ldbm directory and start again!