Where does the Distinguish Name come from in CA LDAP?
Article ID: 126194
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
How do get the Distinguished Name for CA LDAP?
Where do you get the Distinguished Names from in the slapd.conf file?
Where do you get the Distinguished Names from in the slapd.conf file?
Environment
Release:
Component: TSSLDP
Component: TSSLDP
Resolution
In your slapd.conf file you specify the distinguished name.
It can be anything and is up to you.
CA LDAP supports multiple backends. Think of a backend is what CA LDAP is talking too and extracting and updating information from.
1. CA Top Secret
2. CA ACF2
3. WebAdmin
4. DB2
5. Datacom
Each of these backends you would give a distinguished name. So if you are using multiple backends, you specify the distinquised name for that backend on the LDAP query/command so CA LDAP knows which backend you want the data from.
Example slapd.conf.
You are using two backends with CA LDAP. CA Top Secret and DB2.
###############################################################
# catss_dn databse specific definition
# This definition is for Web Admin
###############################################################
database catss_dn
suffix "host=TSSHOST_im,o=Company ABC,c=us"
naming_mode im
...
...
...
###############################################################
# This section is *optional*
# Use this to store & retrieve data from DB2. This
# option can not be used to access existing data.
###############################################################
database db2_perf
suffix "o=DB2HOST,o=Company ABC,c=us"
...
...
...
"host=TSSHOST_im,o=Company ABC,c=us" is the backend for TSS.
"o=DB2HOST,o=Company ABC,c=us" is the backend for DB2.
Lets say you wanted to list acids that start with 'H'.
Your user program would need to issue the following LDAP query/command to the CA LDAP server to extract that information:
ldapsearch -x -D cn=admuser -w admpswd -h 123.456.789.10 -p 389 -s one -b "tssadmingrp=acids,host=TSSHOST_im,o=Company ABC,c=us" (tssacid=H*)
Notes:
'admuser' is an authorized TSS admin that has the admin ability in TSS LIST all acids. If the admin doesnt have the proper TSS admin authority, the above query will fail.
'admpswd' is the admins password used to validate the signon of the admin.
'123.456.789.10' is the IP of the CA LDAP server. You can also use an url like 'CompanyABC.com'
'389' is the port assigned to CA LDAP which you specified in the slapd.conf file.
'"tssadmingrp=acids' and 'tssacid=H*' are the object classes that are available for you to extract/update in CA Top Secret. Think of the object classes as the various fields when you TSS LIST an acid. They are documented at:
https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure-the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server
The following link documents the ldapsearch command:
https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/command-reference/commands-for-ca-ldap-server/command-line-utilities-ldap/ldapsearch-search-ldap-objects
'host=TSSHOST_im,o=Company ABC,c=us' is the distinguished name for the TSS backend which you specified in the slapd.conf. It tells CA LDAP to extract the information from the TSS backend and not the DB2 backend.
It can be anything and is up to you.
CA LDAP supports multiple backends. Think of a backend is what CA LDAP is talking too and extracting and updating information from.
1. CA Top Secret
2. CA ACF2
3. WebAdmin
4. DB2
5. Datacom
Each of these backends you would give a distinguished name. So if you are using multiple backends, you specify the distinquised name for that backend on the LDAP query/command so CA LDAP knows which backend you want the data from.
Example slapd.conf.
You are using two backends with CA LDAP. CA Top Secret and DB2.
###############################################################
# catss_dn databse specific definition
# This definition is for Web Admin
###############################################################
database catss_dn
suffix "host=TSSHOST_im,o=Company ABC,c=us"
naming_mode im
...
...
...
###############################################################
# This section is *optional*
# Use this to store & retrieve data from DB2. This
# option can not be used to access existing data.
###############################################################
database db2_perf
suffix "o=DB2HOST,o=Company ABC,c=us"
...
...
...
"host=TSSHOST_im,o=Company ABC,c=us" is the backend for TSS.
"o=DB2HOST,o=Company ABC,c=us" is the backend for DB2.
Lets say you wanted to list acids that start with 'H'.
Your user program would need to issue the following LDAP query/command to the CA LDAP server to extract that information:
ldapsearch -x -D cn=admuser -w admpswd -h 123.456.789.10 -p 389 -s one -b "tssadmingrp=acids,host=TSSHOST_im,o=Company ABC,c=us" (tssacid=H*)
Notes:
'admuser' is an authorized TSS admin that has the admin ability in TSS LIST all acids. If the admin doesnt have the proper TSS admin authority, the above query will fail.
'admpswd' is the admins password used to validate the signon of the admin.
'123.456.789.10' is the IP of the CA LDAP server. You can also use an url like 'CompanyABC.com'
'389' is the port assigned to CA LDAP which you specified in the slapd.conf file.
'"tssadmingrp=acids' and 'tssacid=H*' are the object classes that are available for you to extract/update in CA Top Secret. Think of the object classes as the various fields when you TSS LIST an acid. They are documented at:
https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure-the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server
The following link documents the ldapsearch command:
https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/command-reference/commands-for-ca-ldap-server/command-line-utilities-ldap/ldapsearch-search-ldap-objects
'host=TSSHOST_im,o=Company ABC,c=us' is the distinguished name for the TSS backend which you specified in the slapd.conf. It tells CA LDAP to extract the information from the TSS backend and not the DB2 backend.
Feedback
Yes
No
Powered by
