Adding Profile with LDAP No Longer Work with LDAP r14.0

book

Article ID: 51282

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA-24X7 High-Availability Manager for DB2 for z/OS CA-Batch Processor Compile QQF CA Data Compressor for DB2 for z/OS CA Unicenter NSM CA RC/Update for DB2 for z/OS DB2 TOOLS- DATABASE MISC CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Description:

Using the same LDAP command with the same LDIF file to add a profile to an acid works with CA LDAP r12.0 and fails with CA LDAP r14.0

The LDAP command is as follows:

ldapmodify -x -D cn=User_Authorized -w Password -v -h Ip_Address p Port_Number -f Ldif_File

The LDIF file is as follows:

dn:tssproflist=#PROFID,tssacidgrp=proflist,tssacid=ACIDNAME,tssadmingrp=acids,host=hostname
changetype: add
Profile-Names: #PROFID

Solution:

A number of changes to CA LDAP Server in r14 have been made in order to better conform to the LDAP protocol specifications.
The LDAP protocol requires that the following characters be escaped when they appear in DNs:

, \ # + < > ; " =

In LDAP r12 we largely ignored this requirement, so the LDIF, while technically invalid, was accepted without complaint.
LDAP r14 does much stricter checking on the content of the DN, and so it rejects this request.

You can escape special characters by prefixing them with the \ character.
LDIF file needs to be changed from:

dn: tssproflist=#PROFID,tssacidgrp=proflist,... (snipped)

to

dn: tssproflist=\#PROFID,tssacidgrp=proflist,... (snipped)

Environment

Release:
Component: TSSLDP