what is the correct DN to search on RACF from LDAP? 1

[peralesb]

HEllo:

I have LDAP and RACF on Z/OS in Hercules emulator to Linux RedHat.

I managed to raise the LDAP server, and moreover test it with command as like:

#ldapsearch -h localhost -p 3389 -s base -D cn=LDAPADMINISTRATOR -w secret -b "sysplex=sysplex1" "objectclass=*"

#ldapsearch -h localhost -p 3389 -s base -b "cn=schema,cn=LDAPADMINISTRATOR" "objectclass=subschema"


But when I try the next commands:

#ldapsearch -h 127.0.0.1 -D racfid=IBMUSER,profiletype=user,sysplex=sysplex1 -w IBMUSER -b "racfid=IBMUSER,profiletype=user,sysplex=sysplex1" "objectclass=*"


#ldapsearch -h 127.0.0.1 -D cn=LDAPADMINISTRATOR,sysplex=sysplex1 -w secret -s base -b "racfid=IBMUSER,profiletype=user,cn=sysplex=sysplex1" -V3 "objectclass=*"


an both case I obtained the next message:

ldap_bind: insuffcient access
ldap_bind: aditional info: R000137 'cn=...' is not a valid RACF bind. Check that the syntax is correct and that it is a DN for a RACF user.


I understand the error message, but then, what is the correct DN?, in my config file to LDAP I have:

listen ldap://:3389
maxConnections 60
adminDN "cn=LDAPADMINISTRATOR"
adminPW "secret"
database sdbm GLDBSDBM
suffix "sysplex=sysplex1"


NOTE: I omitted the corresponding thing to DB2 and TDBM for that alone use the RACF database.

Thanks for any help.

 

[tsuji]

>'cn=...' is not a valid RACF bind
Try instead?
[tt]-b "racfid=IBMUSER,profiletype=user,sysplex=sysplex1"[/tt]

 

[peralesb]

Hi tsuji:

I sorry, the "..." only is simbolic, but I did several combinations as:

-b "racfid=IBMUSER,profiletype=user,sysplex=sysplex1"
-b "cn=LDAPADMINISTRATOR,profiletype=user,sysplex=sysplex1"

But the problem persist.

Thanks

 

[tsuji]

The detail of the hierachy I don't know---it's implementation dependent. But on the suffix part, cn=sysplex=syplex1 could be outright wrong. A quick check?...

http://mvs-admin.nmsu.edu/Ldapjava/ldapdn.html