Why do i need a BPX.SRV.userid profile with CA LDAP Server for RACF
Article ID: 72951
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
24X7 High-Availability Manager for DB2 for z/OS
Batch Processor
Compile QQF
Data Compressor for DB2 for z/OS
CA Unicenter NSM
RC/Update for DB2 for z/OS
DB2 TOOLS- DATABASE MISC
PanApt
PanAudit
Issue/Introduction
Install instructions for CA LDAP Server under RACF shows the following...
RDEFINE SURROGAT BPX.SRV.SVIAMMEP UACC(NONE) -
OWNER(SECADMIN) DATA('Surrogat for CA LDAP') -
AUDIT(ALL(READ))
PERMIT BPX.SRV.SVIAMMEP CLASS(SURROGAT) ACCESS(READ) ID(LDAPUSER)
SETROPTS GENERIC(SURROGAT) RACLIST(SURROGAT) REFRESH
Why do i need to provide the BPX.SRV.userid profiel in the SURROGAT class?
Environment
Release: LDAP..00200-15.1-LDAP Server
Component:
Component:
Resolution
The SPAWN process is controlled by BPX.DAEMON in the FACILITY class.
BPX.DAEMON controls all these functions...
seteuid
setuid
setreuid
pthread_security_np()
auth_check_resource_np()
_login()
_spawn() with user ID change
_passwd()
The one that LDAP is processing is...
_spawn() with user ID change
If you have BPX.DAEMON access and you are UID(0) you will be able
to issue the spawn with USERID change without needing BPX.SRV.userid in the SURROGAT class..
If you have BPX.DAEMON access and are NOT UID(0) you will also need access to BPX.SRV.userid in the SURROGAT class.
BPX.DAEMON controls all these functions...
seteuid
setuid
setreuid
pthread_security_np()
auth_check_resource_np()
_login()
_spawn() with user ID change
_passwd()
The one that LDAP is processing is...
_spawn() with user ID change
If you have BPX.DAEMON access and you are UID(0) you will be able
to issue the spawn with USERID change without needing BPX.SRV.userid in the SURROGAT class..
If you have BPX.DAEMON access and are NOT UID(0) you will also need access to BPX.SRV.userid in the SURROGAT class.
Feedback
Yes
No
Powered by
