PK81733: mod_authnz_ldap can't pass simple enough filter to be used with SDBM-backed LDAP (RACF over LDAP) running on z/OS

APAR status

• Closed as program error.

Error description

• When AUTHLDAPUrl points to a z/OS LDAP server that is SDBM,
  or RACF, based, it cannot accept standard LDAP search filters.
  Other LDAP backends are not affected.
  
  The error log reports the following generic message:
     Directory server is unwilling to perform the operation
  
  The platform of the webserver is not relevant.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: IHS 7.0 users on any platform who point to   *
  * a z/OS system runnning SDBM/RACF-backed LDAP with their      *
  * AuthLDAPUrl directive                                        *
  ****************************************************************
  * PROBLEM DESCRIPTION: LDAP authentication error when LDAP     *
  * server is RACF-based.
  ****************************************************************
  * RECOMMENDATION: Apply this fix if your environment matches   *
  * the error description and your LDAP server is hosted on z/OS *
  ****************************************************************
  SDBM/RACF-backed LDAP on z/OS does not support the same search
  and filter semantics of a typical LDAP server, including
  verbatim filters from the LDAP RFC.
  By default, mod_authnz_ldap uses a no-op (objectClass=*) term
  as a filter unless overriden.  When combined with the filter
  required to perform authentication, this results in:
  (&(cn=user1)(objectClass=*)) which is not permitted by SDBM.
  

Problem conclusion

• mod_authnz_ldap was modified to allow a new special value of
  "none" in the AuthLDAPUrl directive where the search filter
  is specified. The filter is the final parameter below:
  AuthLDAPURL  ldap://example.com/o=apache,c=US?racfid?sub?none
  This results in a user-lookup filter of simply (racfid=user1)
  which is accepted by SDBM.
  Using LDAP with RACF/SDBM on z/OS:
   - The first parameter after the port on AuthLDAPURL should
      generally be your "LDAP suffix" configured in the z/OS LDAP
      server. In the example above, this is Áo=apache,c=USÁ
   - The second parameter on AuthLDAPURL is the entry in LDAP that
     the webserver will use to determine a web users LDAP
     distinguished name.  'racfid' is a commonly used with z/OS
      LDAP.
   - If using LDAP groups for authorization, specify the groups
     distinguished name such as Require ldap-group
     racfid=GROUP02,profiletype=GROUP,o=MYSUFFIX and specify
     'AuthLDAPGroupAttribute racfgroupuserids' to allow the
      webserver to resolve groups.
  This fix is targeted for IHS fixpacks:
   - 7.0.0.5
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WAS IHS ZOS

• Fixed component ID

  5655I3510

Applicable component levels