|
Perform the following steps to use encrypted LDAP bind passwords: - Define a RACF® KEYSMSTR
class profile by entering the following command, replacing the highlighted
value with your own key:
Example:RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(0023528875DECFAC))
In
this example: - LDAP BIND passwords are masked by using a key saved in the KEYSMSTR
class, LDAP.BINDPW.KEY.
- The key is 0023528875DECFAC. (Replace
this with your own key.)
- KEYENCRYPTED is specified (rather than KEYMASKED) because
ICSF is active. (If ICSF is not active, replace KEYENCRYPTED with KEYMASKED.)
_______________________________________________________________
- Activate the KEYSMSTR class by entering the following command:
SETROPTS CLASSACT(KEYSMSTR)
_______________________________________________________________
- If you intend to use the LDAPBIND class, for each
LDAP directory, create a RACF LDAPBIND
class profile by entering the following command:
RDEFINE LDAPBIND MY.LDAP.SERVER1
PROXY(LDAPHOST(ldap://some.ldap.host:389)
BINDDN('CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US') BINDPW('MYPASS1')
Replace
the highlighted parameters as follows: - Optionally, replace MY.LDAP.SERVER1 with the
profile name you want to use.
- Replace ldap://some.ldap.host:389 with your
LDAP server URL. You can specify the URL with or without the preceding
string "ldap:" or "ldaps:".
- Replace CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US with
the bind DN.
- Replace MYPASS1 with the bind password.
Note: All
bind DN qualifiers and the bind password are case-sensitive.
_______________________________________________________________
- If you intend to use IRR.PROXY.DEFAULTS instead of the LDAPBIND
class for encrypted LDAP bind passwords, issue the
following command to create the profile:
RDEFINE FACILITY IRR.PROXY.DEFAULTS
PROXY(LDAPHOST(ldap://some.ldap.host:389)
BINDDN('CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US') BINDPW('MYPASS1')
Replace
the highlighted parameters as follows: - Replace ldap://some.ldap.host:389 with your
LDAP server URL. You can specify the URL with or without the preceding
string "ldap:" or "ldaps:".
- Replace CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US with
the bind DN.
- Replace MYPASS1 with the bind password.
Note: All
bind DN qualifiers and the bind password are case-sensitive.
_______________________________________________________________
- Optionally, check your work by listing the segment with the RLIST
command. If you are using the LDAPBIND class, issue
the following command:
RLIST LDAPBIND MY.LDAP.SERVER1 PROXY NORACF
Replace MY.LDAP.SERVER1 with
the profile name you used.
Results: This command displays
information like the following: CLASS NAME
LDAPBIND MY.LDAP.SERVER1
PROXY INFORMATION
LDAPHOST= LDAP://SOME.LDAP.HOST:389
BINDDN= CN=LDAP ADMINISTRATOR,OU=POUGHKEEPSIE,O=IBM,C=US
BINDPW= YES
If you are using the IRR.PROXY.DEFAULTS
profile of the FACILITY class, issue the following
command: RLIST FACILITY IRR.PROXY.DEFAULTS PROXY NORACF
Results: This
command displays information like the following: CLASS NAME
FACILITY IRR.PROXY.DEFAULTS
PROXY INFORMATION
LDAPHOST= LDAP://SOME.LDAP.HOST:389
BINDDN= CN=LDAP ADMINISTRATOR,OU=POUGHKEEPSIE,O=IBM,C=US
BINDPW= YES
_______________________________________________________________
|