Keywords › LDAPNODE Keyword—Define LDAP Nodes

LDAPNODE Keyword—Define LDAP Nodes

Valid on z/OS.

Use the LDAPNODE keyword to define LDAP nodes to the CA Top Secret database as NDT node elements.

The keyword is used with:

• The commands ADD, LIST, REMOVE, and REPLACE
• The NDT record
• MISC2(NDT) authority

This keyword has the following format:

TSS ADDTO(NDT) LDAPNODE(node_name)
               ACTIVE(YES|NO)
               ADMDN(LDAP administrator_distinguished_name)
               ADMPSWD(LDAP_administrator_password)
               APPLNAME(application_name)
               BITDEFLT(bit_field_format)
               BROADCAST(YES|NO)
               CHILDELETE(YES|NO)
               CODEPAGE(encoding_table)               
               DATEFMT(date_format)
               DEBUG(YES|NO)
               EXTENDED(YES|NO)
               LABLCERT(label_name)
               PSWDLOWR(YES|NO)
               USERDNS(distinguished_name_suffix)
               JOURNAL(YES|NO)
               RECOVERY(YES|NO)
               SYNCADD(YES|NO)                            
               SYNCDEL(YES|NO)
               SYNCUPD(YES|NO)
               OBJCLASS(LDAP_object_class)
               PSWDASIS(YES|NO)
               SYSID(sysid1,sysid2,,,)
               URL(Uniform_Resource_Locator)
               XREF(ACIDfield1,LDAPattribute1Name,LDAPattribute1FieldType,
                    LDAPattribute1DataFormat,LDAPattribute1Length,
                    EncloseCharacter)

LDAPNODE(node_name)

(Required) Specifies the internal NODE name of the LDAP server.

SYSID(sysid1,,,)

Specifies up to five SMF IDs of systems where the LDAPNODE definition apply. The SYSID value might contain an asterisk for masking. If you omit SYSID, the LDAPNODE is global for all systems sharing the security file. You can define more than five system IDs by using multiple ADD commands. When specified on an ADD command, the new SYSID replaces a previously existing value.

ACTIVE(YES|NO)

Specifies whether the node is active and attempting to communicate with the specified LDAP server.

Default: NO

ADMDN(LDAP_administrator_distinguished_name)

(Required) Specifies the LDAP administrator distinguished name that is used for binding to the LDAP server and administering the LDAP request. The following representations indicate that string substitutions are allowed for this field:

• TSS administrator's name (20 bytes) from the ACID record
• TSS administrator's LID (8 bytes) from the ACID record

If any embedded spaces or commas exist within the ADMNDN specification, enclose the entire string in quotation marks. For example, enter a ADMNDN value like this:

ADMDN('cn=%L, o= CAI, c=USA')

Note: You must specify the LDAP administrator password or the APPLNAME field. Each LDAP request requires an administrator distinguished name and a password. To provide the password, you can specify the administrator password in the NDT LDAPNODE element. Alternatively, you can identify the TSS administrator and the NDT table data record used for generating PassTickets, by specifying the APPLNAME in the NDT LDAPNODE element. The two methods are mutually exclusive.

When updating an existing LDAPNODE definition, you can modify the password or the application name without specifying the ADMINDN keyword.

ADMPSWD(LDAP_administrator_password)

Specifies the LDAP administrator password that is used in conjunction with the LDAP administrator ID for binding to the LDAP server.

APPLNAME(application_name)

Specifies the application name of the NDT table data record that contains the TSS administrator's encryption key that is used for generating PassTickets. The TSS administrator's userid is used in conjunction with the PassTicket for binding to the LDAP server and administering the LDAP request.

Note: For information about NDT records, see the CA Top Secret User Guide.

BITDEFLT(field_type/format)

Specifies the default field type and format to use for all bit fields that are sent to the LDAP server. The default for this field is CHAR_YN. The following options are available for this field:

BINARY

Binary 1 or 0 when the bit is ON or OFF, respectively.

CHAR_01

'1' or '0' when the bit is ON or OFF, respectively.

CHAR_YN

'Y' or 'N' when the bit is ON or OFF, respectively.

CHAR_TF

'T' or 'F' when the bit is ON or OFF, respectively.

BINARY_REV

Binary 0 or 1 when the bit is ON or OFF, respectively.

CHAR_REV01

'0' or '1' when the bit is ON or OFF, respectively.

CHAR_REVYN

'N' or 'Y' when the bit is ON or OFF, respectively.

CHAR_REVTF

'F' or 'T' when the bit is ON or OFF, respectively.

Note: This default can be overridden per bit field specified in the XREF parameter.

BROADCAST(YES|NO)

Specifies whether the node is a broadcast node, which means that all commands and password changes are sent to this node regardless of the LDS attribute setting on the ACID record.

Default: NO

SYNCADD(YES|NO)

Specifies whether TSS ACID create processing is propagated to the LDAP server.

Default: NO

CHILDELETE(YES|NO)

Specifies whether to delete children objects before deleting the base object.

CODEPAGE(character)

Specifies a 20-byte identifier of the character encoding table to use to translate characters as they pass into the system. If no CODEPAGE is specified, ASCII ISO8859-1 is assumed.

DATEFMT(date_format)

Specifies the default format for the date fields that are sent to the LDAP server. Available date format options are MMDDYYYY, DDMMYYYY, YYYYMMDD, MMDDYY1, DDMMYY1, and YYMMDD1. MM represents a two-digit month, DD represents a two-digit day, and YYYY represents a four-digit year. YY represents a two‑digit year, and 1 represents a / delimiter in the date field. The default date format is MMDDYYYY. Year designations of 70‑99 assume a date in the 20th century (1970‑1999); year designations of 00‑69 assume a date in the 21st century (2000‑2069).

Note: This default can be overridden per date field specified in the XREF parameter.

DEBUG(YES|NO)

Specifies whether to enable or disable node level tracing.

EXTENDED(YES|NO)

Specifies whether to use extended operations to enable SSL for the connection to the LDAP server.

LABLCERT(label_name)

Defines the LABEL of the PERSONAL certificate used, if CLIENT authentication is required for the LDAP server defined by this LDAPNODE record.

PSWDLOWR(YES|NO)

Specifies whether to propagate the case sensitivity format of the user's password.

PSWDLOWR works in conjunction with the PSWDASIS function as follows:

• If PSWDASIS(NO) and PSWDLOWR(YES) exist, the password is sent in lowercase.
• If PSWDASIS(YES) and PSWDLOWR(YES) exist, PSWDASIS overrides PSWDLOWR, which means that passwords are sent as is.
• If PSWDASIS(NO) and PSWDLOWR(NO) exist, the password is sent in uppercase.

When a user changes a password during system entry validation, LDAP Directory Services (LDS) automatically propagates the new password to the LDAP servers that are interested in the password field. The user receives no indication that LDS processing was involved. LDS must be active, and the LDS option must be specified in the ACID.

Note: For more information about LDS, see the CA Top Secret User Guide.

Default: NO

USERDNS(distinguished_name_suffix)

Indicates the user distinguished name suffix that refers to the entry on the LDAP server where the changes are applied. This field has a maximum length of 255 characters. The following representations indicate that string substitutions are allowed for this field:

• N—User's Name
• L—User's ACID

For example, in USERDNS ('tssacid=N%, host=prod, o=company, c=usa') %N substitutes the TSS user's name (20 bytes) from the user's ACID record.

In USERDNS ('tssacid=USER, host=prod, o=company, c=usa'), USER substitutes the TSS user's ACID (8 bytes) from the user's ACID record.

Note: If embedded spaces or commas exist within the USERDNS specification, enclose the entire string in quotation marks. For example, you might enter a USERDNS value like this:

USERDNS('o= CAI, ou=Development Team, c=USA')

JOURNAL(YES|NO)

Specifies whether to enable journaling of LDAP outbound traffic.

OBJCLASS(LDAP_object_class)

(Required) Specifies the LDAP object class to use when an LDAP entry is created. The object class defines the attributes that the LDAP directory entry might contain. The default object class is TSSUSER.

SYNCDEL(YES|NO)

Specifies whether to propagate TSS ACID remove processing to the LDAP server.

Default: NO

SYNCUPD(YES|NO)

Specifies whether to propagate TSS ACID add/rep processing to the LDAP server.

Default: NO

RECOVERY(YES|NO)

Specifies whether to enable recovery processing for the node.

Default: YES

PSWDASIS(YES|NO)

(If the password field is specified in the XREF field) Specifies whether to propagate the password as it was entered during a signon password change. Any changes made to the password through the TSS command always propagate in uppercase even if this option is YES. If this option is set to NO, signon password changes propagate in uppercase.

Default: YES

URL(Uniform_Resource_Locator)

(Required) Specifies the Uniform Resource Locator (URL) that identifies the LDAP server. There is a maximum of three URL entries. The entries specify the primary followed by the backups. The syntax of the LDAP URL is as follows:

ldap[s]:// [<host>[:CA Portal]]

ldap

Specifies a connection using the LDAP protocol.

ldaps

Specifies an SSL LDAP connection.

host

Specifies the name or IP address of the LDAP server host.

port

Specifies the port number of the LDAP server.

XREF(ACIDfield,LDAPattributeName,LDAPattributeFieldType,
LDAPattributeDataFormat,LDAPattributeLength,EncloseCharacter)

(Required) Specifies the names of the TSS ACID fields and the corresponding LDAP directory attribute fields synchronized to the LDAP directory. The following parameters are required:

ACIDfield

Specifies any ACID related keyword that can be specified on a TSS ADD/REP/CRE command for a user type ACID.

LDAPattributeName

Specifies the name of the LDAP directory attribute.

The following optional XREF parameters might be specified to override the default format of DATE and BIT fields:

LDAPattributeFieldType

Specifies the field type of the LDAP attribute. Valid field types are BIT, DATE, and UNICODE. If not specified, the default is the TSS ACID field type from which the LDAP attribute has been mapped. If you specify this parameter, you must also specify LDAPattributeDataFormat.

LDAPattributeDataFormat

Specifies the data format of the LDAP attribute. For DATE type, valid data formats are the same as for the DATEFMT field. For Unicode, valid formats are UTF16LE, UTF16BE, UTF32LE, and UTF32BE. For BIT type, valid data formats are the same as for the BITDEFLT field, as follows:

	LDAP          BIT  BIT
	Attribute     is   is
	Data Format   ON   OFF

	CHAR_YN      'Y'   'N'
	CHAR_REVYN   'N'   'Y'

	CHAR_TF      'T'   'F'
	CHAR_REVTF   'F'   'T'

	CHAR_01      '0'   '1'
	CHAR_REV01   '1'   '0'

	BINARY        x'0   x'1
	BINARY_REV    x'1   x'0

LDAPattributeLength

Specifies a number that represents the maximum data length of the LDAP attribute. If you omit this parameter specification, the default length is the TSS ACID field length from which the LDAP attribute has been mapped.

Range: 1 to 1024

EncloseCharacter

(Optional) Specifies to surround the LDAP attribute value with the character represented by the enclose character identifier. This parameter is used with LDAP functions that require particular data values to be surrounded by quotation marks. Valid values are as follows:

SQ

Uses single quotation marks to surround the LDAP attribute value (for example, 'Jay').

DQ

Uses double quotation marks to surround the LDAP attribute value (for example, “Jay”).

Note: By default, the LDAP attribute value is not enclosed by any character.

Notes:

• Optional fields are positional and must be delimited by a comma.
• If the LDAPNODE xref password field has a special LDAPattributetype of UNICODE and LDAPattributedataformat of UTF16LE, UTF16BE, UTF32LE, or UTF32BE, this specification translates the password field into the corresponding UTF selection. UNICODE is used in conjunction with Windows AD only. The XREF fields allow any Unicode specified for all fields; however, this results in an error. If a corresponding LDAPattributedataformat is not specified when UNICODE is entered for the LDAPattributetype, the default is UTF16LE.

Example: Create an LDAP Node with a Single XREF Subfield

This example creates a new LDAP node named “testnode” with a single XREF subfield:

TSS ADD(NDT) LDAPNODE(testnode)
             ADMDN('cn=USER1, o=CAI, c=USA')
             ADMPSWD(password)
             USERDNS('o=CAI, ou=TSS Team, c=USA')
             URL(ldap://ca.ldap.server:7000)
             XREF(ACIDNAME,ldap_attr_name1)

Example: Manipulate XREF Subfields for an Existing LDAPNODE Entry

This example adds or modifies XREF subfields for an existing LDAPNODE entry:

TSS ADD(NDT) LDAPNODE(testnode)
             XREF(DEPT,ldap_attr_name2)

Example: Remove XREF Subfields

This example removes XREF sub fields:

TSS REM(NDT) LDAPNODE(testnode)
             XREF(DEPT,ldap_attr_name2)

Example: Delete a LDAPNODE Definition

This example deletes an entire LDAPNODE definition:

TSS REM(NDT) LDAPNODE(testnode)

Example: Display an LDAPNODE Definition

This example displays an LDAPNODE definition:

TSS LIST(NDT) LDAPNODE(ALL|testnode)

Example: Replace an LDAPNODE Definition

This example replaces an LDAPNODE definition:

TSS REP(NDT) LDAPNODE(testnode)
             ADMDN('cn=USER1, o=CAI, c=USA')
             ADMPSWD(password)
             USERDNS('o=CAI, ou=TSS Team, c=USA')
             URL(ldap://ca.ldap.server:7000)
             XREF(DEPT,ldap_attr_name2)

The REP command removes all XREF entries