Step 5: Configure Policy Agent to use the LDAP server using the ReadFromDirectory statement

The ReadFromDirectory statement in the Policy Agent configuration file initializes the Policy Agent as an LDAP client. The policies are downloaded from the LDAP server, along with the policies specified in the Policy Agent configuration files.

When configuring the ReadFromDirectory statement, first specify the name (or IPv4 address) and port of the primary server and the same for the backup server (if one is used).

Notes:
  1. The LDAP client library used to connect to the LDAP server does not support IPv6.
  2. When using the z/OS® LDAP server, the server listens on a separate port for SSL connections. This means that you should specify the correct port depending on whether or not SSL is used.

Next, configure other connection attributes. The Policy Agent (as an LDAP client) must log in to the LDAP server. The user ID and password for logging in must be configured on the ReadFromDirectory statement. The user ID is also known as Distinguished Name for user ID, and it is in the form of an LDAP DN. If the user ID and password are not specified, the Policy Agent uses anonymous login to connect to the server.

The LDAP server can be configured with only LDAP protocol version 3. To use LDAP protocol version 3, you can set LDAP_ProtocolVersion to 3 on the ReadFromDirectory statement. This is the default value. This statement also configures the version of the schema to be retrieved from the server.

Finally, configure attributes to indicate how to search the LDAP server for policies. Policy roles allow one or more roles, or role-combinations, to be assigned to policy rules using the ibm-policyRoles attribute. These roles represent the intended usage of the policy rules. For example, a role of "East Coast WAN" might be used to represent policies for the wide area network on the US East coast for an enterprise. Policy role values are not standardized; they are simply values used to assign roles to policies. When an entity that requires policies (such as Policy Agent) requests policies from an LDAP server, it can filter out policy rules that do not match the roles that it plays. Although similar to policy keywords, which also allow search scoping, policy roles are a bit more sophisticated. Specifically, role-combinations are allowed, which take the form of a specification like "roleA && roleB", meaning both roleA AND roleB. Because the ibm-policyRoles attribute is multi-valued, a form of CNF/DNF logic can be used for policy roles: the roles in a role-combination are ANDed, and the roles or role-combinations specified on different values of this attribute are ORed.

For the Version 1 schema, a base DN to start the search, and a selector tag value are configured. The selector tag is used to match against the SelectorTag attribute in the policy objects. For Version 1, the Policy Agent also automatically includes the stack name when searching for policies; this value is matched against the TcpImageName attribute in the policy objects. For the Version 2 schema, a base DN to start searching is also configured. This DN can specify a single LDAP object, a policy group, or an LDAP subtree containing many objects. For filtering the search, three keywords can be configured:

Optionally, specify parameters for a secure SSL connection. For details, see Add SSL to Policy Agent connections.

The example that follows this list takes the following actions:

ReadFromDirectory
{
LDAP_Server 9.100.1.1
LDAP_DistinguishedName cn=root, o=IBM, c=US
LDAP_Password 4qr56jb
LDAP_ProtocolVersion 3
LDAP_SchemaVersion 3
SearchPolicyBaseDN ou=policy, o=IBM, c=US
SearchPolicyKeyword POLICY
SearchPolicyKeyword EASTERN
}
Parent topic: Steps for configuring the Policy Agent