LDAP Directory Services (LDS) › NDT LDAPNODE Records

NDT LDAPNODE Records

The NDT LDAPNODE records define the LDAP servers in the network and information required to appropriately communicate ACID administrative changes.

Information required to create, update, or delete objects in the LDAP directory is defined in the NDT LDAPNODE record. This information includes:

• Administrator distinguished name (DN)
• Administrator password
• URLs of the LDAP servers
• Name of the object on the LDAP directory
• Command type of ACID administration
• Map of the LDAP attributes to CA Top Secret ACID record fields
• Additional options

The supported keywords for an NDT LDAPNODE record are:

• LDAPNODE(node_name) *
• ACTIVE(YES/NO)
• ADMDN (LDAP administrator distinguished name)*
• ADMPSWD (LDAP administrator password)*
• APPLNAME (application name)
• BITDEFLT (field type/format)
• BROADCASET(YES/NO)
• CHILDELETE(YES/NO)
• DEBUG(YES/NO)
• DATEFMT(date format)
• EXTENDED(YES/NO)
• JOURNAL(YES/NO)
• LABLCERT(label_name)
• OBJCLASS(LDAP object class)
• PSWDASIS(YES/NO)
• SYNCADD(YES/NO)
• SYNCDEL(YES/NO)
• SYNCUPD(YES/NO)
• SYSID(sysid1,sysid2,,,sysid5)
• URL(Uniform Resource Locator)*
• USERDNS(User Distinguished Name suffix)
• XREF(LIDfield1/LDAPattribute1Name/
• LDAPattribute1FieldType/
• LDAPattribute1DataFormat/LDAPattribute1Length,EncloseCharacter …)*

Fields marked with an asterisk (*) are mandatory.

Use the TSS ADD(NDT) command to add multiple XREF field mapping definitions to an LDAPNODE record.

The LDAP administrator password or the APPLNAME field must be specified. Each LDAP request requires an administrator distinguished name and a password. To provide the password:

• Specify the administrator password in the Control LDS LDAP record.
• Identify the administrator and the PSTKAPPL record used for generating PassTickets by specifying the APPLNAME in the LDAPNODE record.

Example: create an LDS LDAPNODE record

This example creates an LDS LDAPNODE record which maps two ACID fields to LDAP attribute names:

TSS ADD(NDT) LDAPNODE(testnode)
ACTIVE(yes)
SYNCUPD(yes)
ADMINDN(‘cn=administrator,o=CAI,c=US’)
ADMPSWD(password)
OBJCLASS(tssacid)
USERDNS(‘cn=%L, ou=TSS Team, c=US’)
URL(ldap://ca.ldap.server:7000)
XREF(ACID,userid)

To map additional acid fields, add more XREF subfields to the LDAPNODE record.

LDAPNODE with a Shared Security File

In a shared security file environment, add a SYSID keyword to the LDAPNODE record to designate a specific CA Top Secret systems LDAPNODE records. If no SYSID is present, the LDAPNODE record applies to all systems by default.

If using CPF, the CPF command can create duplicate LDS broadcasts if the SYSID parameter is not defined with the LDAPNODE.

Example: LDAPNODE with a shared security file

This example defines an LDAPNODE in a shared security file environment.

TSS ADD(NDT) LDAPNODE(ldapnode)
             SYSID(sys*)
             ACTIVE(yes)
             SYNCUPD(yes)
             ADMINDN(‘cn=administrator, o=CAI, c=US’)
             OBJCLASS(tssacid)
             USERDNS(‘cn=%N, ou=TSS Team, c=US’)
             URL(ldap://ca.ldap.server:7000)
             XREF(ACID,userid)

LDAP Nodes with Multiple URLs

Having multiple URL entries with a replicated server:

• Enables support for LDAP failure events
• Improves overall LDS performance
• Minimizes LDS recovery processing

Note: The Security File must be extended before using the multiple URL feature.

Example: adding multiple URLs

This example makes both nodes 111.111.111.11:111 and 222.222.222.22:222 available.

TSS ADD(NDT) LDAPNODE(ldapnode) 
             ADMDN(CN=LDSSCA) 
             ADMPSWD(LDSSCA) 
             ACTIVE(YES) 
             SYNCADD(YES) 
             JOURNAL(YES) 
             BITDEFLT(CHAR_YN) 
             DATEFMT(MMDDYYYY) 
             USERDNS('tssacid=%l,host=xe14,o=cai,c=us')
                      objclass(tssacid) 
             URL(LDAP://111.111.111.11:111,
                 LDAP://222.222.222.22:222)
             XREF(ACID,userid)

LDAP Nodes with Passwords

To simplify data access of security information to distributed platforms, you can:

• Specify unicode for passwords to expand the character set
• Add the CodePage(INPUT/OUTPUT) field on LDAP node record for data default translation
• Set the PSWDASIS field to indicate that user passwords are sent in the case entered

Note: The Security File must be extended before using the Unicode or Codepage features.

Examples: LADAP nodes and passwords

This example adds an LDAPNODE with PSWDLOWR set to yes:

TSS ADD(NDT) LDAPNODE(ldapenode)
             ADMDN(CN=LDSSCA)
             ADMPSWD(LDSSCA)
             ACTIVE(YES)
             SYNCADD(YES)
             SYNCUPD(YES)
             SYNCDEL(YES)
             PSWDASIS(NO)
             BITDEFLT(CHAR_YN)
             PSWDLOWR(YES)
             USERDNS('tssacid=%l,host= xe14,o=cai,c=us')
                      objclass(tssacid)
             URL(LDAP:/ /111.222.333.444:389)
             XREF(ACID,name) 

This example adds an LDAPNODE with UNICODE specified:

TSS ADD(NDT) LDAPNODE(Tldapnode)
             ADMDN(CN=LDSSCA)
             ADMPSWD(LDSSCA)
             ACTIVE(YES)
             SYNCADD(YES)
             SYNCUPD(YES) 
             SYNCDEL(YES)
             PSWDASIS(NO)
             BITDEFLT(CHAR_YN)
             PSWDLOWR(YES) 
             USERDNS('tssacid=%l,host=xe 14,o=cai,c=us')
                     objclass(tssacid) 
             URL(LDAP:// 141.202.204.14:389) 
             XREF(PASSWORD,USER PASSWORD,UNICODE)

This example adds an LDAPNODE with CODEPAGE specified:

TSS ADD(NDT) LDAPNODE(TST3LDAP)
             ADMDN(CN=LDSSCA)
             ADMPSWD(LDSSCA)   
             ACTIVE(YES)
             SYNCADD(YES)
             SYNCUPD(YES)
             SYNCDEL(YES)
             PSWDASIS(NO)    
             JOURNAL(YES)
             BITDEFLT(CHAR_YN)
             DATEFMT(MMDDYYYY)
             PSWDLOWR(YES)     
             USERDNS('tssacid=%l,host=xe14,o=cai,c=us')
             CODEPAGE(CODEPAGETEST)  
             objclass(tssacid)
             URL(LDAP://111.111.111.11:111)
             XREF(NAME,NAME)