Creating an Alias for a user catalog when inserting a new logonid using CA Web Administrator for ACF2 via CA LDAP Server is not being done.

book

Article ID: 50072

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA-24X7 High-Availability Manager for DB2 for z/OS CA-Batch Processor Compile QQF CA Data Compressor for DB2 for z/OS Data Navigator for DB2 UDB for z/OS CA-DB Delivery for DB2 CA Unicenter NSM CA Log Compress DBA for DB2 Guide Online CA InfoRefiner Advantage InfoRefiner Advantage InfoRefiner Maint Upgrade CA InfoTransport Advantage InfoTransport Maint Upgrade Online Reorg for DB2 for z/OS CA RC/Update for DB2 for z/OS Query Analyzer RI Editor for DB2 for z/OS DB2 TOOLS- DATABASE MISC CA PanApt CA PanAudit CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Description:

The CAACF2_UTF backend has an option that will automatically create an alias when the TSO attribute is included with the insert of a new logonid.
This is not working for me - what is wrong?
Here is what I have in the slapd.conf file for CA LDAP Server:

CreateAlias Relate(' SYS1.MASTCAT')

The logonid is inserted in the ACF2 database, but there is no alias created.

The problem here is that the CreateAlias is being specified incorrectly.

Solution:

The correct format of the CreateAlias in the CA LDAP Server configuration file - slapd.conf is:

CreateAlias usercat mastercat

For Example: If you want to setup CA LDAP Server to create an alias for each TSO userid created in TSOZ.USERCAT you would specify the CreateAlias parameter in the CA LDAP slapd.conf file as..

CreateAlias TSOZ.USERCAT SYS1.MASTCAT

No quotes are needed around the catalog name. If you only want to use the master catalog, which is the default, then you can just code the CreateAlias statement with the user catalog name.

One other thing that is needed, is that the LDAP address space needs authority to spawn tasks, and be a superuser. That can be done by either giving the logonid record an OMVS profile with UID(0), or coding up some BPX rules in the FACILITY class to give the logonid the needed access.

Here is a sample of the needed rules:

$KEY(BPX) TYPE(FAC)        
 DAEMON UID(uid string of LDAP lidrec) SERVICE(READ) ALLOW 
 SUPERUSER UID(uid string of LDAP lidrec) ALLOW

Since the FAC rules are resident, make sure command: F ACF2,REBUILD(FAC) is issued after any rule changes.

Environment

Release:
Component: ACFLDP