LDAP definitions for use on z/OS with an ADCD system

ADCD is a z/OS system which runs on ZDPT which is a system 390 emulator which runs on Intel x86. ADCD provides many program products, and many configured subsystems. For example z/OS, CICS, IMS, DB2, MQ, and z/OSMF. For these you load the disks, IPL and go. LDAP is provided as the Tivoli Directory Server(TDS). The libraries are provided, but not a configured LDAP system.

Configuring LDAP is pretty easy, the hardest part is the configuration files which look very long, but they have many comments. You run a configuration script and this generates a PDS with some definitons, for example to define the started task to RACF, and set up RACF permissions. The files produces are not entirely consistent with ADCD, for example there is a hardcoded userid parameter, which needs to be changed.

As well as files in a PDS you need some files in USS, for example to define userids to LDAP. The files on this Github repository are sufficient to create an LDAP server, and have a database in the USS file system. (You can configure LDAP to use DB2).

I used the ADCD default started task userid of STARTED. The TDS documentation suggests using GLDSRV.

PDS files

You need to load some files into a PDS (LRECL 80)

• DSCONFIG This is configuration file for small, working LDAP system. It has a definition for an LDAP data base in the USS file system in directory /var/ldap/ldbm.
• DSENVVAR This is the environment file needed by the LDAP server.
• DSORIG This is the original CONFIG file generated by the configuration script. To see the useful content, delete all line with '#' in them, and delete all the line with ' ' in columns 1 4.
• GLDSRV This needs to be copied to the USER.*.PROCLIB. It refers to the DSCONFIG and DSENVVAR files in the PDS.
• RACF This is the modified RACF definitions
  • RDEFINE APPL GLDSERV UACC(READ) All RACF userids that you want to use to connect to LDAP, need READ access to to this profile. You could make it UACC(NONE) and PERMIT individual userids.
  • ADDGROUP GLDGRP it defines a group - needed by the userid.
  • ADDUSER GLDSRV and a userid. This is the userid the started task could run under. I let it use the default STARTED userid.
  • It gives the GLDSRV userid access to various system profiles
  • It defines some LDAP profiles.
  • It has definitions (which are not executed) to define the GLDSRV as a started task. This is not required on ADCD, as the default started task runs OK with default userid STARTED. There is no to create it.

USS files

Some sample files to get you started

• 1.ldif This defines the root o=Your Company for userids
• 2.ldif This defines a userid cn=ibmuser, o=Your Company which maps to RACF userid IBMUSER. When you logon with this it checks the userid and password with RACF. This is more secure than having the password in clear text in the configuration file. It also defines an Access Control List(ACL).

How to configure LDAP

1. Create a PDS for the data. I use GLD.CNFOUT to be consistent with ADCD, and it is the name that TDS uses.

2. Upload the PDS files to the PDS.

3. Create a directory like /u/ldap.

4. Upload the uss files to this directory.

5. Run the RACF job in the PDS. Make sure all of the commands run successfully.

6. Edit the GLDSRV job and change references to GLD.CNFOUT to your PDS. (//CONFIG and //ENVVAR)

7. Copy the GLDSRV job to USER.*.PROCLIB as GLDSERV

8. If you are using the GLDSRV procedure which uses started task userid of GLDSRV

   • from an authorised userid in uss chown -R gldsrv:gldgrp /var/ldap/* as LDAP expects to own these files.

9. Start it using SDSF /S GLDSERV

10. Check the output for any errors.

11. Go to USS, and cd into the /u/ldap directory.

12. You need to define the schema (the structure of the database). Issue the commands

    1. ldapmodify -h 127.0.0.1 -p 389 -D "cn=Admin" -w secret -f /usr/lpp/ldap/etc/schema.user.ldif this uses
       • IP address 127.0.0.0 port 389. (These are reported in the GLDSERV)
       • -D "cn=Admin" the userid to be used for initial configuration. This is defined in the DSCONFIG file
       • -w password.
       • -f .. this is the file to execute
    2. ldapmodify -h 127.0.0.1 -p 389 -D "cn=Admin" -w secret -f /usr/lpp/ldap/etc/schema.IBM.ldif this define attributes for RACF userids etc
    3. ldapmodify -h 127.0.0.1 -p 389 -D "cn=Admin" -w secret -f 1.ldif this defines a subroot in the directory
    4. ldapmodify -h 127.0.0.1 -p 389 -D "cn=Admin" -w secret -f 2.ldif this defines cn=ibmuser, o=Your Company as a userid mapping to a RACF userid IBMUSER
    5. ldapsearch -h 127.0.0.1 -D "cn=Admin" -w secret -b "o=Your Company" "(objectclass=*)" This displays information about o=Your Company

13. When these have all run successfully

14. Stop LDAP using /P GLDSERV

15. Edit the GLD.CNFOUT(DSCONFIG)

16. Change the top 3 lines to

    • adminDN "cn=ibmuser, o=Your Company"
    • #adminDN "cn=Admin"
    • #adminPW secret

17. This says the admin userid is no longer cn=Admin with password secret, but it is now "cn=ibmuser, o=Your Company" and your RACF password. You can always change it back.

18. Restart the server /S GLDSERV

19. Check the job output

20. Go to uss and issue

    1. ldapsearch -h 127.0.0.1 -D "cn=ibmuser, o=Your Company" -w ? -b "o=Your Company" "(objectclass=*)" where you are now using the updated LDAP userid, and the -w ? will now prompt for your password.

If all this works, you have configured your LDAP, and loaded some data into it.