Description:

When I try to list RACF objects (groups, permissions and users) from an LDAP browser, for example, JXplorer, the list fails with LDAP: error code 49 - ICH408 and CSV025I.

Messages similar to these may be seen regarding the RACF address space userID.

BPXM023I (CALDAP) 096
LDP4904I CA LDAP Server is processing a SEARCH CLASS(USER) for all
USERS per a request from IP=123.123.123.20:4460 on behalf of IAMTEST
ICH408I USER(RACF ) GROUP(STCGROUP) NAME(STC RACF ) 097
SETROPTS CL(PROGRAM )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
CSV025I PROGRAM CONTROLLED MODULE SETROPTS NOT ACCESSED, USER UNAUTHORIZED
IEF196I CSV025I PROGRAM CONTROLLED MODULE SETROPTS NOT ACCESSED, USER
IEF196I UNAUTHORIZED
CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF
IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF

This can be resolved by setting the TRUSTed attribute to the RACF subsystem address space profile.

Solution:

Within the RACF_UTF Backend, the use of the R_Admin callable service requires that you assign the TRUSTed attribute to the RACF subsystem address space profile. A TRUSTED address space is treated as part of the trusted computing base. Contact your security administrator for implementation.

See the IBM z/OS  MVS Initialization and Tuning Reference z/OS  section "Assigning the RACF TRUSTED Attribute" for more information.