I stumbled across this useful way of defining userids to LDAP.
In your LDAP configuration file, define the SDBM database
database sdbm GLDBSD31/GLDBSD64
suffix o=myracf
This says for all Distinguished Names (DN) ending in o=myracf, then go to the RACF (SAF) database.
If my DN is RACFID=COLIN,PROFILETYPE=user,o=myracf it will use this. I do not need to set up a special DN in LDAP.
I used
ldapsearch -h 127.0.0.1 -D “RACFID=colin,PROFILETYPE=user,o=myracf” -w ? -b “o=myracf” “(objectClass=*)”
To list all the userids and groups in RACF.
For those IDs which map to a SAF userid, for example
- defined in LDAP with the attribute ibm-nativeId:
- using a SAF userid directly RACFID=COLIN,PROFILETYPE=user,o=myracf,
- via a certificate and RACDCERT MAP
that userid is used to issue the command. For example userid COLIN is a member of group SYS1, and can display information from commands like TSO LU ANOTHER.
Another ID with no special authority returned no data from the ldapsearch command above.
The SDBM backend is virtual directory and is mostly read-only, so the update operations are usually not allowed. RACF configuration is used to restrict a user’s authority to SDBM and ACLs are not used.
SDBM only supports RACF user IDs or user IDs with RACF mappings, so a user must map to a SAF user to be able to query the RACF data in the SDMB database.
Possible queries
This table gives some LDAP queries.
- -b “o=myracf” “(objectclass=*)” list all users groups etc
- –b “profiletype=User,o=myracf” “(objectclass=*)” list all users
- -b “profiletype=Group,o=myracf” “(objectclass=*)” list all users
- -b “profiletype=Connect,o=myracf” “(objectclass=*)” list all user and group connections
- -b “racfid=colin,profiletype=user,o=myracf” “(objectclass=*)” list everything about racfid COLIN
- -b “cn=setropts,o=myracf” “(objectclass=*)” did not work for me
- -b “profiletype=facility,o=myracf” “(objectclass=*)” did not work for me
ColinPaice 