Is it possible for the user associated to the CALDAP started task be a UID of non-zero in ACF2?

book

Article ID: 141380

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS

Issue/Introduction

Is it possible for the user associated to the CALDAP started task be a UID of non-zero in ACF2? What rules are necessary to implement a user with a non-zero UID?

Environment

Release : 16.0

Component : CA LDAP Server for z/OS

Resolution

ACF2 highly recommends using UID(0) for the started task user. With that said, it is possible to use another UID value. The following are a sample of rules needed to allow access for LDAP functions. 

SET RULE                                                          
RECKEY TCPIP ADD(-  UID(uidstring) R(A))                          
RECKEY slapd ADD(env.steplib  UID(uidstring) R(A))                
SET R(FAC)                                                        
RECKEY BPX ADD(DAEMON.HFSCTL UID(uidstring) SERVICE(READ) ALLOW)  
RECKEY BPX ADD(CONSOLE UID(uidstring) SERVICE(READ) ALLOW)        
RECKEY BPX ADD(FILE UID(uidstring) SERVICE(READ) ALLOW)           
RECKEY BPX ADD(SERVER UID(uidstring) SERVICE(READ) ALLOW)         
RECKEY BPX ADD(STOR.SWAP UID(uidstring) SERVICE(READ) ALLOW)      
RECKEY IARRSM ADD(LRGPAGES UID(uidstring) SERVICE(READ) ALLOW)    
SET R(SER)                                                        
RECKEY EZB ADD(STACKACCESS.- UID(uidstring) SERVICE(READ) ALLOW)  
RECKEY EZB ADD(PORTACCESS.- UID(uidstring) SERVICE(READ) ALLOW)   
RECKEY EZB ADD(NETACCESS.- UID(uidstring) SERVICE(READ) ALLOW)    

Every LDAP environment is unique. In order to ensure that all accesses are granted, run a SECTRACE on a test system for a while. This will show what possible attempts LDAP is making and resource(s) it may needed greater authority to.