Why do i need a BPX.SRV.userid profile with CA LDAP Server for RACF
book
Article ID: 72951
calendar_today
Updated On:
Products
ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISC24X7 High-Availability Manager for DB2 for z/OSBatch ProcessorCompile QQFData Compressor for DB2 for z/OSCA Unicenter NSMRC/Update for DB2 for z/OSDB2 TOOLS- DATABASE MISCPanAptPanAudit
Issue/Introduction
Install instructions for CA LDAP Server under RACF shows the following... RDEFINE SURROGAT BPX.SRV.SVIAMMEP UACC(NONE) - OWNER(SECADMIN) DATA('Surrogat for CA LDAP') - AUDIT(ALL(READ)) PERMIT BPX.SRV.SVIAMMEP CLASS(SURROGAT) ACCESS(READ) ID(LDAPUSER) SETROPTS GENERIC(SURROGAT) RACLIST(SURROGAT) REFRESH
Why do i need to provide the BPX.SRV.userid profiel in the SURROGAT class?
Environment
Release: LDAP..00200-15.1-LDAP Server Component:
Resolution
The SPAWN process is controlled by BPX.DAEMON in the FACILITY class. BPX.DAEMON controls all these functions... seteuid setuid setreuid pthread_security_np() auth_check_resource_np() _login() _spawn() with user ID change _passwd()
The one that LDAP is processing is... _spawn() with user ID change
If you have BPX.DAEMON access and you are UID(0) you will be able to issue the spawn with USERID change without needing BPX.SRV.userid in the SURROGAT class.. If you have BPX.DAEMON access and are NOT UID(0) you will also need access to BPX.SRV.userid in the SURROGAT class.