Having set up an LDAP server, you need to add information to the directory. This is not very well described in the TDS documentation.
Basic overview of data
To add information about a user use a file in USS like colin.ldif
dn: cn=colin, o=Your Company
objectclass: top
objectclass: person
objectclass: organizationalPerson
cn: LDAP Administrator
sn: Administrator
Where
- the “key” to identify an entry is the dn ..
- objectclass is the sort of object, and what attributes it can have. It can have many object classes
- cn: and sn: are attribute values
- There is a blank line following to indicate end of definition. You can have many of these in a file, to allow you to do a bulk update.
How do I display the contents?
You need to issue a query. This comes in two parts, identifying the user, and the request.
To identify requestor you need something like
ldapsearch -h 127.0.0.1 -D “cn=ibmuser, o=Your Company” -w ? …
and the query for example, to list all the information about cn=ibmuser, o=Your Company add the following to the ldapsearch request above
-b “cn=ibmuser, o=Your Company” “(objectclass=*)”
This gives
cn=ibmuser, o=Your Company
objectclass=top
objectclass=person
objectclass=organizationalPerson
objectclass=ibm-nativeAuthentication
cn=ibmuser
sn=Administrator
ibm-nativeid=IBMUSER
For all information under o=Your Company
-b “o=Your Company” “(objectclass=*)”
For only the list of sn for all users
-b “o=Your Company” “(objectclass=*)” sn
This gives
o=Your Company
cn=colinw, o=Your Company
sn=Administratorcn=colin, o=Your Company
sn=Administratorcn=LDAP Administrator, o=Your Company
sn=Administratorcn=ibmuser, o=Your Company
sn=Administrator
What authority do I need?
Typically you need to be an LDAP administrator, or have the appropriate access to Access Control lists. See here for managing ACLs.
How do I add information?
If I want to add a userid definition for ibmuser (above) so I can login with RACF, I need to add attribute
ibm-nativeId: COLIN
This attribute is in object type
objectclass: ibm-nativeAuthentication
So to be able to specify the ibm-native-ID: attribute, you need to tell specify the object class as well.
My definition is now
dn: cn=colin, o=Your Company
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: ibm-nativeAuthentication
cn: LDAP Administrator
sn: Administrator
ibm-nativeId: COLIN
Add it to the directory
You can add this to the directory using
ldapmodify -a -h … -p … -D “…” -w … -f colin.ldif
Where
- -a says add (instead of modify)
- -f colin.ldif is the name of the file with the statements in it.
Modifying an entry
If you want to modify an existing entry, you can change the whole entry, or parts of it.
To add an entry
dn: cn=colin, o=Your Company
changetype: add
objectclass: top
…
To delete a whole entry
dn: cn=colin, o=Your Company
changetype: delete
To add an attribute to an entry
dn: cn=colin, o=Your Company
changetype: modify
add: attrccp
attrccp: value1
attrccp: value2…
This adds two attrccp values to the definition
To modify an existing attribute
dn: cn=colin, o=Your Company
changetype: modify
modify: ibm-nativeId
ibm-nativeId: PAICE
To delete an attribute
dn: cn=colin, o=Your Company
changetype: delete
delete: ibm-nativeId
This deletes all ibm-nativeID attributes.
If you want to delete a specific attribute specify it after the delete: line
dn: cn=colin, o=Your Company
changetype: delete
delete: attrccp
attrccp: value2
ColinPaice 
One thought on “One minute MVS: LDAP defining resources”