You need to consider the points provided here, when using
the LDAP Connector for searches against an SDBM backend on z/OS®.
Note: The z/OS operating
system is not supported in IBM® Security
Directory Integrator Version 7.2 onwards.
- When an LDAP Connector in Iterator mode is used to get a list
of user profiles on an z/OS SDBM
(LDAP) service, by default only the DN Attribute is returned. Other
attributes are not returned even with a "*" attribute specified in
the input map. This is a known limitation of the LDAP connector (it
was not originally intended for this). To retrieve all the attributes,
construct the AssemblyLine such that you use the LDAP Connector first
in Iterator mode to retrieve the DN and subsequently use the LDAP
Connector in Lookup mode with Link Criteria using the DN (that is,
Link Criteria set to "$dn EQUAL $$dn").
Note: Here a "presence" filter
is used in the Iterator Connector's configuration (Config Tab->
Search Filter) to determine the scope of DN to retrieve and an subsequent
equivalence filter is used in the Link Criteria in an LDAP connector
in Lookup mode.
- There are 3 user profiles for which the Iterator/Lookup flow does
not work with an SDBM backend on z/OS:
- $dn 'racfid=irrmulti,profiletype=user,sysplex=sysb'
- $dn 'racfid=irrsitec,profiletype=user,sysplex=sysb'
- $dn 'racfid=irrcerta,profiletype=user,sysplex=sysb'
The lookup may get the following error on these user profiles: 'ICH30001I
UNABLE TO LOCATE USER' or 'ICH31005I NO ENTRIES MEET
SEARCH CRITERIA'. This happens because these users are not
real users and therefore should not be the subject of searches. The
SDBM backend will do a "listuser" under the covers that issues the
request in uppercase and therefore, will not find the profiles. This
is expected behavior.