The z/OS® LDAP Changelog
Connector is a specialized instance of the LDAP
Connector. It is configured for usage with a z/OS Directory Server,
accessed using the LDAP protocol over TCP/IP ("zLDAP").
There are some differences in the way the changes to password
policy operational attributes are logged to cn=changelog in IBM® Tivoli® Directory
Server on z/OS and in Distributed IBM Tivoli Directory Server (which
runs on other platforms). See Differences between changelog on distributed TDS and z/OS TDS for details
on the currently known differences in behavior between the two versions.
This connector supports Delta Tagging, at the Entry level,
the Attribute level and the Attribute Value level. It is the LDIF
Parser that provides delta support at the Attribute and Attribute
Value levels.
This connector is able to intercept changes from the changelog
of a RACF® (Resource Access
Control Facility) LDAP server. RACF is the security manager of z/OS
and it maintains a database containing usernames and passwords. Changes
to this database can be logged in the changelog of an LDAP server
such as IBM Tivoli Directory Server (TDS). The changelog of
this server can be accessed trough the GDBM LDAP interface and the
RACF database itself - through the SDBM interface. This connector
is suitable for propagating changes of sensitive information (usernames,
passwords, and so forth) across LDAP servers on different z/OS machines
or other distributed platforms.
In older versions of Tivoli Directory
Integrator, in the z/OS LDAP Changelog Connector
merging occurs between Attributes of the changelog Entry and changed
Attributes of the actual Directory Entry. This creates issues because
you cannot detect the attributes that have changed. The Tivoli Directory
Integrator 7.1.1 version
of the Connector has logic to address these situations, configured
by a parameter: Merge Mode. The modes are:
Merge changelog and changed data - The Connector
merges the attributes of the Changelog Entry with changed attributes
of the actual Directory Entry. This is the older implementation and
keeps compatibility with earlier versions.
Return only changed data - Returns only
the modified/added attributes and makes Changelog Iterator and Delta
mode easier. This is the default; note that in configurations developed
under and migrated from earlier versions of Tivoli Directory
Integrator, you may need to
select Merge changelog and changed data manually
so as to ensure identical behavior.
Return both - Returns an Entry which contains
changed attributes of the actual Directory Entry and an additional
attribute called "changelog" which contains attributes of the Changelog
Entry. Allows you to easily distinguish between two sets of Attributes.
Delta tagging is supported in all merge modes and entries can be
transferred between different LDAP servers without much scripting.
The LDAP URL for the connection (ldap://host:port).
Login username
The LDAP distinguished name used for authentication to the server.
Leave blank for anonymous access.
Login password
The credentials (password).
Authentication Method
Type of LDAP authentication. Can be one of the following:
Anonymous - If this authentication
method is set then the server, to which a client is connected, does
not know or care who the client is. The server allows such clients
to access data configured for non-authenticated users. The
Connector automatically specifies this authentication method if no
username is supplied. However, if this type of authentication is chosen
and Login username and Login
password are supplied, then the Connector automatically sets
the authentication method to Simple.
Simple - using Login
username and Login password. Treated as
anonymous if Login username and Login
password are not provided. Note that the Connector sends the
fully qualified distinguished name and the client password in cleartext,
unless you configure the Connector to communicate with the LDAP Server
using the SSL protocol.
CRAM-MD5 - This is one of
the SASL authentication mechanisms. On connection, the LDAP Server
sends some data to the LDAP client (that is, this Connector). Then
the client sends an encrypted response, with password, using MD5 encryption.
After that, the LDAP Server checks the password of the client. CRAM-MD5
is supported only by LDAP v3 servers. It is not supported against
any supported versions of Tivoli Directory Server.
SASL - The client (this Connector)
will use a Simple Authentication and Security Layer (SASL) authentication
method when connecting to the LDAP Server. Operational parameters
for this type of authentication will need to be specified using the Extra Provider Parameters option; for example, in
order to setup a DIGEST-MD5 authentication you will need to add the
following parameter in the Extra Provider Parameters field:
Not all directory servers support all SASL mechanisms and
in some cases do not have them enabled by default. Check the documentation
and configuration options for the directory server you are connecting
to for this information.
Use SSL
If Use SSL is true (that is, checked),
the Connector uses SSL to connect to the LDAP server. Note that the
port number might need to be changed accordingly.
ChangeLog Base
The search base where the Changelog is kept. The standard
DN for this is cn=changelog.
Extra Provider Parameters
Allows you to pass a number of extra parameters to the JNDI
layer. It is specified as name:value pairs, one pair per line.
Iterator State Key
Specifies the name of the parameter that stores the current
synchronization state in the User Property Store of the IBM Tivoli Directory
Integrator. This
must be a unique name for all parameters stored in one instance of
the IBM Tivoli Directory
Integrator User Property Store.
Start at
Specifies the starting changenumber. Each Changelog entry is
named changenumber=intvalue and the Connector
starts at the number specified by this parameter and automatically
increases by one. The special value EOD means
start at the end of the Changelog.
State Key Persistence
Governs the method used for saving the Connector's state to
the System Store. The default is End of Cycle,
and choices are:
After read
Updates the System Store when you read an entry from the directory
server's change log, before you continue with the rest of the AssemblyLine.
End of cycle
Updates the System Store with the change log number when all
Connectors and other components in the AssemblyLine have been evaluated
and executed.
Manual
Switches off the automatic updating of the System Store with
this Connector's state information; instead, you will need to save
the state by manually calling the z/OS LDAP Changelog Connector's saveStateKey() method, somewhere in your AssemblyLine.
Merge mode
Governs the method used for merging attributes of the Changelog
Entry and changed attributes of the actual Directory Entry. The default
is Return only changed data. The possible
values are:
Merge changelog and changed data -
Pre-7.0 implementation; for compatibility with earlier versions.
Return only changed data - Returns
only the modified/added attributes.
Return both - Returns changed attributes
of the actual Directory Entry, plus an additional attribute called "changelog"
that contains an Entry with changelog attributes.
Timeout
Specifies the number of seconds the Connector waits for the
next Changelog entry. The default is 0, which means wait forever.
Sleep Interval
Specifies the number of seconds the Connector sleeps between
each poll. The default is 60.
Detailed Log
If this field is checked, additional log messages are generated.
Note:
Changing Timeout or Sleep Interval values
will automatically adjust its peer to a valid value after being changed
(for example, when timeout is greater than sleep interval the value
that was not edited is adjusted to be in line with the other). Adjustment
is done when the field editor loses focus.
Directory Integrator, Version 7.1.1