How can the CA LDAP Server search operation be used to perform authorization checks against the CA ACF2 Security database?

Document ID : KB000029085
Last Modified Date : 14/02/2018
Show Technical Document Details

The ldapsearch 'RESCHECK' authorization check can be used to perform a resource rule check or dataset rule check. This example ldapsearch is being done by logonid USER002 which has a password USER002, performing a dataset access check for dataset SYS1.PARMLIB by logonid usrtest.The file rescheck.inp is created in USS, and executed from OMVS.

 

LDAPSEARCH RESCHECK Example

 

EDIT      /u/users/ldapr151/rescheck.inp           Columns0000100072
Command ===>                                                Scroll ===>PAGE
*********************************** Top of Data ******************************
==MSG>-Warning- The UNDO command is not available until you change           
==MSG>          your edit profile using the command RECOVERY ON.             
000001./ldapsearch -x -D cn=USER002 -w USER002 -h SYS1234 -p 389 -s base -b \
000002 host=SYS1234.CA.COM,o=TEST,c=us    \                                   
000003 rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE                      
********************************** Bottom of Data ****************************
Note: "\" is the continuation character for the above command.

 

* ==================================================================*
* Example RESCHECK deny
* ==================================================================*

 

To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

 

$ cd /u/users/ldapr151/

$ rescheck.inp                                                                 
ldap_bind: Success (0)                                                         
        additional info: ACF01137 USER002 LAST SYSTEM ACCESS 08.52-09/11/14 FROM 8DCA2485                                                                      
# extended LDIF                                                                
#                                                                              
# LDAPv3                                                                       
# base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject                 
# filter: rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE                    
# requesting: ALL                                                              
#                                                                              
                                                                               
# search result                                                                
search: 2                                                                      
result: 50 Insufficient access                                                 
text: LDP1105E Access denied                                                   
                                                                               
# numResponses: 1                                                              
$          

                                                                   

* ==================================================================*
* Example RESCHECK allow(change logonids from usrtest to usrsuper)
* ==================================================================*

 

To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

 

$ cd /u/users/ldapr151/                                                  
$ rescheck.inp                                                                 
                                                                               
ldap_bind: Success (0)                                                         
        additional info: ACF01137 USER002 LAST SYSTEM ACCESS 09.30-09/18/14 FROM
A28LO903                                                                      
# extended LDIF                                                                
#                                                                              
# LDAPv3                                                                       
# base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject                 
# filter: rescheck=usrsuper,update,dataset,SYS1.PARMLIB,NONE                    
# requesting: ALL                                                              
#                                                                              
                                                                               
# search result                                                                
search: 2                                                                      
result: 0 Success                                                              
                                                                               
# numResponses: 1   

 

For details on ldapsearch parameters see the CA LDAP Server for z/OS Product Guide Release 15.1.00, Appendix A: z/OS UNIX System Services Command Line Utilities section 'ldapsearch–Search LDAP Objects'.