How can the LDAP Server search operation be used to perform authorization checks against the ACF2 Security database?

search cancel

How can the LDAP Server search operation be used to perform authorization checks against the ACF2 Security database?

book

Article ID: 29085

calendar_today

Updated On:

Products

LDAP SERVER FOR Z/OS

Issue/Introduction

The ldapsearch 'RESCHECK' authorization check can be used to perform a resource rule check or dataset rule check.
This example ldapsearch is being done by logonid USER002 which has a password USER002, performing a dataset
access check for dataset SYS1.PARMLIB by logonid usrtest.The file rescheck.inp is created in USS, and executed from OMVS.

Resolution

LDAPSEARCH RESCHECK Example

EDIT      /u/users/ldapr151/rescheck.inp           Columns0000100072
Command ===>                                                Scroll ===>PAGE
*********************************** Top of Data ******************************
==MSG>-Warning- The UNDO command is not available until you change
==MSG>          your edit profile using the command RECOVERY ON.
000001./ldapsearch -x -D cn=USER002 -w USER002 -h SYS1234 -p 389 -s base -b \
000002 host=SYS1234.CA.COM,o=TEST,c=us    \
000003 rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE
********************************** Bottom of Data ****************************
Note: "\" is the continuation character for the above command.

* ==================================================================*
* Example RESCHECK deny
* ==================================================================*

To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

$ cd /u/users/ldapr151/

$ rescheck.inp
ldap_bind: Success (0)
        additional info: ACF01137 USER002 LAST SYSTEM ACCESS 08.52-09/11/14 FROM 8DCA2485
# extended LDIF
#
# LDAPv3
# base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject
# filter: rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE
# requesting: ALL
#

# search result
search: 2
result: 50 Insufficient access
text: LDP1105E Access denied

# numResponses: 1
$

* ==================================================================*
* Example RESCHECK allow(change logonids from usrtest to usrsuper)
* ==================================================================*

To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

$ cd /u/users/ldapr151/
$ rescheck.inp

ldap_bind: Success (0)
        additional info: ACF01137 USER002 LAST SYSTEM ACCESS 09.30-09/18/14 FROM
A28LO903
# extended LDIF
#
# LDAPv3
# base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject
# filter: rescheck=usrsuper,update,dataset,SYS1.PARMLIB,NONE
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

For details on ldapsearch parameters see the CA LDAP Server for z/OS Product Guide Release 15.1.00,
Appendix A: z/OS UNIX System Services Command Line Utilities section 'ldapsearch–Search LDAP Objects'.

Feedback

thumb_up Yes

thumb_down No