Valid on z/OS.
Use the LDAPNODE keyword to define LDAP nodes to the CA Top Secret database as NDT node elements.
This keyword has the following format:
TSS ADDTO(NDT) LDAPNODE(node_name)
ACTIVE(YES|NO)
ADMDN(LDAP administrator distinguished name)
ADMPSWD(LDAP administrator password)
APPLNAME(application name)
BITDEFLT(bit field format)
BROADCAST(YES|NO)
CHILDELETE(YES|NO)
CODEPAGE(encoding table)
DATEFMT(date format)
DEBUG(YES|NO)
EXTENDED(YES|NO)
LABLCERT(label name)
LOWRPSWD(YES|NO)
USERDNS(Distinguished Name suffix)
JOURNAL(YES|NO)
RECOVERY(YES|NO)
SYNCADD(YES|NO)
SYNCDEL(YES|NO)
SYNCUPD(YES|NO)
OBJCLASS(LDAP object class)
PSWDASIS(YES|NO)
SYSID(sysid1,sysid2,,,)
URL(Uniform Resource Locator)
XREF(ACIDfield1,LDAPattribute1Name,LDAPattribute1FieldType,
LDAPattribute1DataFormat,LDAPattribute1Length)
(Required) The internal NODE name of the LDAP server.
A list of up to five SMF id's of systems where the LDAPNODE definition apply. The SYSID value might contain an asterisk for masking. If SYSID is omitted, the LDAPNODE is global for all systems sharing the security file. More than five system id's can be defined by using multiple ADD commands. When specified on an ADD command, the new SYSID entered will replace a previously existing value.
Indicates the node is active and communication with the LDAP server specified is attempted.
Default: NO.
(Required) Indicates the LDAP administrator distinguished name used for binding to the LDAP server and administering the LDAP request. The following representations indicate that string substitutions are allowed for this field:
If there exists any embedded spaces or commas within the ADMNDN, enclose the entire string in quotes. For example, enter a ADMNDN value like this:
ADMDN('cn=%L, o= CAI, c=USA')
Note: In addition, either the LDAP administrator password or the APPLNAME field must be specified. Each LDAP request requires an administrator distinguished name and a password. There are two ways of providing the password. One, specify the administrator password in the NDT LDAPNODE element. Two, identify the TSS administrator and the NDT table data record used for generating PassTickets, by specifying the APPLNAME in the NDT LDAPNODE element. The two methods are mutually exclusive.
When updating an existing LDAPNODE definition, the password or the Applname can be modified without specifying the ADMINDN keyword.
Indicates the LDAP administrator password used in conjunction with the LDAP administrator ID for binding to the LDAP server.
Specifies the application name of the NDT table data record that contains the TSS administrator's encryption key used for generating PassTickets. The TSS administrator's userid is used in conjunction with the PassTicket for binding to the LDAP server and administering the LDAP request. For information about the NDT records see the User Guide.
Indicates the default field type and format that all bit fields are sent to the LDAP server. The default for this field is CHAR_YN. The list of available options for this field includes:
Binary 1 or 0 when the bit is ON or OFF, respectively.
'1' or '0' when the bit is ON or OFF, respectively.
'Y' or 'N' when the bit is ON or OFF, respectively.
'T' or 'F' when the bit is ON or OFF, respectively.
Binary 0 or 1 when the bit is ON or OFF, respectively.
'0' or '1' when the bit is ON or OFF, respectively.
'N' or 'Y' when the bit is ON or OFF, respectively.
'F' or 'T' when the bit is ON or OFF, respectively.
Note: This default can be overridden per bit field specified in the XREF parameter. See the XREF field for further information.
Indicates the node is a broadcast node. All commands and password changes are sent to this node regardless of the LDS attribute setting on the ACID record.
Default: NO
Specifies that TSS ACID create processing is propagated to the LDAP server.
Default: NO
Indicates that children objects are deleted before deleting the base object.
Indicates a twenty byte character field to specify which character encoding table is used to translate characters as they are passed into the system. If no CODEPAGE is specified, ASCII ISO8859-1 is assumed.
Indicates the default format that the date fields are sent to the LDAP server. The date format options available are the following: MMDDYYYY, DDMMYYYY, YYYYMMDD, MMDDYY1, DDMMYY1, and YYMMDD1. MM represents a two digit month, DD represents a two digit day and YYYY represents a four digit year. YY represents a two‑digit year, and the number 1 represents a '/' forward slash delimiter in the date field. The default date format is MMDDYYYY. Year designations of 70‑99 assume a date in the 20th century (1970‑1999); year designations of 00‑69 assume a date in the 21st century (2000‑2069).
Note: This default can be overridden per date field specified in the XREF parameter. See the XREF field for further information.
Indicates that node level tracing is enabled or disabled.
Indicates that extended operations are used to enable SSL for the connection to the LDAP server.
Defines the LABEL of the PERSONAL certificate used, if CLIENT authentication is required for the LDAP server defined by this LDAPNODE record.
Specifies if the case sensitivity format of the user's password is propagated.
PSWDLOWR works in conjunction with the PSWDASIS function. When:
When a user changes a password during system entry validation, LDS automatically propagates the new password to the LDAP servers interested in the password field. The user receives no indication that LDS processing was involved. LDS must be active and the LDS option must be specified in the ACID.
Default: NO
Indicates the user distinguished name suffix that refers to the entry on the LDAP server where the changes are applied. This field has a maximum length of 255 characters. The following representations indicate the string substitutions allowed for this field:
For example, in USERDNS ('tssacid=USER, host=prod, o=company, c=usa') %N substitutes the TSS User's name (20 bytes) from the user's LID record.
In USERDNS ('tssacid=USER, host=prod, o=company, c=usa'), USER substitutes the TSS User's ACID (8 bytes) from the user's ACID record.
Note: If there exists any embedded spaces or commas within the USERDNS, enclose the entire string in quotes. For example, you might enter a USERDNS value like this:
USERDNS('o= CAI, ou=Development Team, c=USA')
Specifies whether journaling of LDAP outbound traffic is enabled.
(Required) Specifies the LDAP object class used when an LDAP entry is created. The object class defines the attributes the LDAP directory entry might contain. The default object class is TSSUSER.
Specifies that TSS ACID remove processing is propagated to the LDAP server.
Default: NO
Specifies that TSS ACID add/rep processing is propagated to the LDAP server.
Default: NO
Indicates that recovery processing is enabled for the node.
Default: YES
If the password field is specified in the XREF field, the PSWASIS option indicates if the password is propagated as it was entered during a signon password change. Any changes made to the password via the TSS command will always be propagated in upper case even if this option is YES. If this option is set to NO then signon password changes are sent in upper case.
Default: YES
(Required) Specifies the Uniform Resource Locator (URL) used to identify the LDAP server. There is a maximum of three URL entries. The entries specify the primary followed by the backups.The syntax of the LDAP URL is:
ldap[s]:// [<host>[:CA Portal]]
Specifies a connection using the LDAP protocol.
Specifies an SSL LDAP connection.
The name or IP address of the LDAP server host.
The port number of the LDAP server.
LDAPattributeDataFormat,LDAPattributeLength)
(Required) Specifies the names of the TSS ACID fields and the corresponding LDAP directory attribute fields synchronized to the LDAP directory.
The required parameters are:
Any ACID related keyword which can be specified on a TSS ADD/REP/CRE command for a user type ACID.
The name of the LDAP directory attribute.
The following XREF parameters are optional and might be specified to override the default format of DATE and BIT fields:
Specifies the field type of the LDAP attribute. Valid field types are BIT, DATE, and UNICODE. If not specified, the default is the TSS ACID field type from which the LDAP attribute has been mapped. If this field is specified, then LDAPattributeDataFormat must also be specified.
Specifies the data format of the LDAP attribute. Valid data formats for DATE type are same as allowed for the DATEFMT field. For Unicode valid formats are UTF16LE, UTF16BE, UTF32LE, and UTF32BE. Valid data formats for BIT type is the same as allowed for the BITDEFLT field are:
LDAP BIT BIT Attribute is is Data Format ON OFF CHAR_YN 'Y' 'N' CHAR_REVYN 'N' 'Y' CHAR_TF 'T' 'F' CHAR_REVTF 'F' 'T' CHAR_01 '0' '1' CHAR_REV01 '1' '0' BINARY x'0 x'1 BINARY_REV x'1 x'0
A number that represents the maximum data length of the LDAP attribute. If this is not specified, the default length is the TSS ACID field length from which the LDAP attribute has been mapped.
Range: 1 to 1024
Note: If the LDAPNODE xref password field has a special LDAPattributetype of UNICODE and LDAPattributedataformat of UTF16LE, UTF16BE, UTF32LE, or UTF32BE. This translates the password field into the corresponding UTF selection. UNICODE is used in conjunction with Windows AD only. The XREF fields allow any Unicode specified for all fields, however, this results in an error. If a corresponding LDAPattributedataformat is not specified when UNICODE is entered for the LDAPattributetype, the default is UTF16LE.
The keyword is used with:
This example creates a new LDAPNODE named “testnode” with a single XREF sub field:
TSS ADD(NDT) LDAPNODE(testnode)
ADMINDN('cn=USER1, o=CAI, c=USA')
ADMPSWD(password)
USERDNS('o=CAI, ou=TSS Team, c=USA')
URL(ldap://ca.ldap.server:7000)
XREF(ACIDNAME,ldap_attr_name1)
This example adds or modifies XREF sub fields for an existing LDAPNODE entry:
TSS ADD(NDT) LDAPNODE(testnode)
XREF(DEPT,ldap_attr_name2)
This example removes XREF sub fields:
TSS REM(NDT) LDAPNODE(testnode)
XREF(DEPT,ldap_attr_name2)
This example deletes an entire LDAPNODE definition:
TSS REM(NDT) LDAPNODE(testnode)
This example displays an LDAPNODE definition:
TSS LIST(NDT) LDAPNODE(ALL|testnode)
This example replaces an LDAPNODE definition:
TSS REP(NDT) LDAPNODE(testnode)
ADMINDN('cn=USER1, o=CAI, c=USA')
ADMPSWD(password)
USERDNS('o=CAI, ou=TSS Team, c=USA')
URL(ldap://ca.ldap.server:7000)
XREF(DEPT,ldap_attr_name2)
The REP command removes all XREF entries.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|