Previous Topic: IDMAP Keyword—z/OS Identity Propagation MappingNext Topic: IDMAPRN Keyword—Specify Identity Registry Name

KeywordsIDMAPDN Keyword—Specify Identity Distinguished Name

IDMAPDN Keyword—Specify Identity Distinguished Name

Valid on z/OS.

IDMAPDN can be specified as the full Distinguished Name, the Distinguished Name filter (when it is in x.500 format) or an asterisk (*). The IDMAPDN is the Distinguished Name. IDMAPDN is stored in UTF-8 format. IDMAPDN is a required field. It can be up to 246 bytes long in UTF-8 format.

An IDMAPDN may contain any of the following special characters:

Backslash \ Comma , Equal sign =

Greater than > Less than < Plus sign +

Double quote " Semicolon ;

These special characters must be escaped by a backslash (\) unless they are an equal sign (=) or a comma (,), or a semicolon (;) that is meant to be a delimiter in an x.500 Distinguished Name. Semicolons are changed to and treated as commas. The attribute type is forced to uppercase. The attribute value can be mixed case. For example, if the Distinguished Name is as sample A, then you must specify it as shown in Sample B:

Sample A

UID=Jane<Smith>Doe,OU=XYZ+Flattener,O=XYZ Company,C=USA

Sample B

UID=Jane\<Smith\>Doe,OU=XYZ\+Flattener,O=XYZ Company,C=USA

When the distinguished name is in the x.500 format, the order of the RDNs (the sections separated by commas) needs to be in order from most specific to least specific.

This keyword has the following format: 

TSS ADDTO(acid) IDMAP(recid) IDMAPDN('distributed-identify-username-filter') IDMAPRN('DISTRIBUTED-IDENTIFY-REGIStryname') [IDLABEL('32-byte label')]

This keyword is used with:

More Information:

IDMAPDN, IDLABEL, and IDMAPRN Usage Rules

Activating IDMAP Profile Records

Using Filters for the Distinguished Name and Registry Name

Example: IDMAPDN keyword

The following command replaces the distinguished name:

TSS REP(JDoe) IDMAP(JDoeIDM1) IDMAPDN('JDoe NEW Distinguished name')

Using Filters for the Distinguished Name and Registry Name

IDMAPDN can be specified as the full Distinguished Name, the Distinguished Name filter (when it is in x.500 format), or an asterisk (*).

IDMAPRN can be specified as the full Registry Name or an asterisk (*).

An asterisk (*) for the Distinguished Name or for the Registry Name indicates that it will match anything.

When the Distinguished name is in x.500 format, it must be specified in the order from most specific Relative Distinguished name (RDN) to least specific RDN. An RDN is a section of the Distinguished Name, and they are separated by commas.

For example, suppose the x.500 format Distinguished Name is: UID=JohnDoe,OU=User,O=XYZ

UID=JohnDoe is the most specific RDN. O=XYZ is the least specific RDN.

For this example, the search order would be as folllows:

  1. UID=JohnDoe,OU=User,O=XYZ + Full Registry Name
  2. UID=JohnDoe,OU=User,O=XYZ + '*'
  3. OU=User,O=XYZ + Full Registry Name
  4. OU=User,O=XYZ + '*'
  5. O=XYZ + Full Registry Name
  6. O=XYZ + '*'
  7. '*' + Full Registry Name
  8. '*' + '*'

When the Distinguished Name is not in the x.500 format, the search order would be as follows:

  1. Full Distinguished Name + Full Registry Name
  2. Full Distinguished Name + '*'
  3. '*' + Full Registry Name
  4. '*' + '*'