IBM Tivoli Directory Server installation - IBM zSeries
This chapter provides detailed instructions for installing the IBM Tivoli Directory Server that is packaged with the IBM z/OS operating system. This chapter is based on the IBM z/OS V1R4 operating system. Earlier releases of z/OS may require slight modification of these instructions for proper installation and configuration of the LDAP server.
In this chapter we discuss the following:
Using the ldapcnf utility
Running the MVS™ jobs generated from the ldapcnf utility
Loading the schema
Enabling Native Authentication
Migrating data to LDAP on z/OS
8.1 Installing LDAP on z/OS
The following sections describe the steps needed to install LDAP on the IBM z/OS operating system.
8.1.1 Using the ldapcnf utility
LDAP on z/OS offers a configuration utility called ldapcnf to assist in the installation and customization of an LDAP server. To complete the installation process, follow the instructions below.
1. Copy the ldap.profile hfs file from /usr/lpp/ldap/etc to a workable directory such as /etc/ldap.
2. Customize the ldap.profile file to reflect your system and the configuration variables by following the detailed descriptions of each attribute in the profile.
Note that some attributes in the ldap.profile file are required, but not given a default value. Make sure you read through the entire file, completing all required variables.
3. Run ldapcnf from the command line in OMVS. This utility will generate a set of jobs in the MVS dataset that was defined in ldap.profile.
4. Copy the LDAP server started task procedure from the output dataset into the system proclib. The default name for this started task is LDAPSRV.
5. Copy the file named PROGxxx to the system parmlib.
8.1.2 Running the MVS jobs
To do this:
1. Run each job in the following sequence, remembering to check all of the output for successful return codes.
a. RACF
b. APF
c. DBCLI - Make sure DB2 is started before submitting this job.
d. PGRMCTRL (if required)
2. Use the DB2 SPUFI tool to submit the DBSPUFI job.
3. Start the LDAP server using the LDAPSRV started task. From SDSF you can start the server by entering /s LDAPSRV.
4. When you see the phrase slapd is ready for requests your LDAP server has started successfully.
8.1.3 Loading the schema
The next steps will assist you in building the LDAP schema and loading the directory with your suffix and a test user.
1. Copy the following files to your /etc/ldap directory:
/usr/lpp/ldap/etc/schema.user.ldif
/usr/lpp/ldap/etc/schema.IBM.ldif
2. Edit these files (schema.user.ldif and schema.IBM.ldif) by changing the line cn=schema,<suffix> to reflect the suffix that is defined in your configuration file.
3. Use the ldapmodify command to load the schema files into the directory.
ldapmodify -h x.x.x.x -p 3389 -D “cn=LDAP Administrator” -w secret -f /etc/ldap/schema.user.ldif
ldapmodify -h x.x.x.x -p 3389 -D “cn=LDAP Administrator” -w secret -f /etc/ldap/schema.IBM.ldif
4. Create an LDIF file containing the suffix entry for the directory. This may contain test users as well. The file may look like the following:
dn: o=itso
objectclass: organization
objectclass:top
o: itso
 
dn: cn=test1,o=itso
objectclass: top
objectclass: ePerson
cn: test1
sn: user
5. Use ldapadd to add the entries from the suffix file to the directory.
ldapadd -h x.x.x.x -p 3389 -D “cn=LDAP Administrator” -w secret -f suffix.ldif
6. Execute the following ldapsearch command as an IVP, ensuring that LDAP is set up correctly:
ldapsearch -h x.x.x.x -p 3389 -V 3 -s base -b “ “ “objectclass=*”
8.1.4 Enabling Native Authentication
In order to enable LDAP to use a TDBM but bind against RACF, native authentication must be configured.
1. Copy the following files to your /etc/ldap directory:
/usr/lpp/ldap/etc/NativeAuthentication.ldif
2. Edit the above files by changing the line cn=schema,<suffix> to reflect the suffix that is defined in your configuration file.
3. Use the ldapmodify command to load the schema files into the directory.
ldapmodify -h x.x.x.x -p 3389 -D “cn=LDAP Administrator” -w secret -f /etc/ldap/NativeAuthenication.ldif
4. Modify the LDAP configuration file to include the following in the TDBM section:
useNativeAuth SELECTED
"nativeAuthSubtree" o=itso
nativeUpdateAllowed YES
5. Modify existing users, adding the native authentication objectclass and ibm-nativeId attribute using the ldapmodify command
ldapmodify -h x.x.x.x -p 3389 -D “cn=LDAP Administrator” -w secret -f /etc/ldap/nativeupdate.ldif
nativeupdate.ldif should look like this:
dn: cn=test1, o=itso
changetype: modify
add: x
ibm-nativeId: test1
objectclass: ibm-nativeAuthentication
8.2 Migrating data to LDAP on z/OS
There are instances where it is necessary to move LDAP data from one platform to another, or simply from one directory to another. This happens when replica servers are being created, or when an LDAP server is being moved to z/OS to take advantage of native authentication.
8.2.1 Migrating LDAP server contents to z/OS
Migrating contents from an existing LDAP server to a z/OS LDAP server can be done using the DB2LDIF utility that is packaged with both the z/OS and distributed versions of the IBM Tivoli Directory Server. Examples of using each utility are listed below.
db2ldif on z/OS
DB2LDIF is a member of the GLD.GLDSAMP data set and contains JCL for exporting existing LDIF entries from the DB2 database. Export these entries to a temporary file in the file system. LDAP writes the exported file to SYSPRINT. See Example 8-1 on page 189 for an example of this JCL.
Example 8-1 Example DB2LDIF JCL
//DB2LDIF JOB (????,????),'AHMADS JOB',MSGCLASS=O,CLASS=A,
// NOTIFY=????????,REGION=0M,USER=SYSADM1,PASSWORD=SYSADM1
//DB2LDIF PROC REGSIZE=0M,
// CBCONFIG='/WebSphere390/CB390',
// PARMS='',
// GLDHLQ='SYS1.LDAP',
// OUTCLASS='*',
// LDAPPATH='etc/ldap',
// LAPDCONF='bboslapd.conf',
// SYSPLEX=WSLPLEX,
// SYSNAME=WSL1
//DB2LDIF EXEC PGM=GLDDB2LD,REGION=&REGSIZE,
// PARM=('/&PARMS')
//STEPLIB DD DSN=&GLDHLQ..SGLDLNK,DISP=SHR
//DSNAOINI DD PATH='&CBCONFIG/&SYSPLEX/&LDAPPATH/&SYSNAME..dsnaoini'
//CONFIG DD PATH='&CBCONFIG/&SYSPLEX/&LDAPPATH/&SYSNAME..&LAPDCONF'
//SYSPRINT DD PATH='/u/ahmad/export.ldif'
//CEEDUMP DD SYSOUT=&OUTCLASS
//SYSERR DD SYSOUT=&OUTCLASS
//STDOUT DD SYSOUT=&OUTCLASS
// PEND
//GO EXEC DB2LDIF
The following command will then load the LDIF file created by the db2ldif command into the z/OS directory.
ldapmodify –a –h 127.0.0.1 –p 1389 –D “cn=CBAdmin” –w secret –f /u/ahmad/export.ldif
8.2.2 Moving RACF users to the TDBM space
Moving RACF user IDs to the TDBM side of the LDAP server seems like a simple task. However, there is no utility to allow this functionality. As you search against the SDBM backend and interact with RACF, you will see that if you search for one particular user, you can retrieve that user’s entire record, or filter it to retrieve only one or two attributes. As you try to extract these fields for more than one user in a given search, you will see that RACF only returns the fully qualified DNs that match that search. The specific attributes you requested will not be returned.
As a means to extract the most common RACF attributes to convert each SDBM user into a TDBM user for use with Native Authentication, a PERL script may be written to complete nested searches, finding all RACF distinguished names that match the search criteria, then searching each DN for specific information such as the RACFID and RACFPROGRAMMERNAME. The script would then be able to extract those attributes and plug them into a user template, printing them out to an LDIF file. The LDIF file can then be used to add all users to the TDBM. A sample program and the implementation instructions can be found in Appendix C, “Moving RACF users to TBDM” on page 715.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset