Propagation of changes

Document ID : KB000115876
Last Modified Date : 04/10/2018
Show Technical Document Details
Introduction:
password change on a sysplex
Question:
Question 1: when a password is changed/reset on a sysplex where passwords are propagated via CPF to other sysplexes automatically doe this work the same way when a password was changed via LDAP? Question 2: is there something like TARGET(*) for other commands? 
Environment:
z/os
Answer:
LDS and CPF are similar in concept, but different in implementation CPF has existed in CA TSS for years and can be setup to sync a password or entire ACIDS, between CA TSS nodes only.
LDS (LDAP Directory Services) can be setup to sync password or entire users, using the LDAP protocol to ANY LDAP enabled node.
Meaning that when a password changes in TSS, TSS can send a LDAP Modify of the password to some LDAP node, for example that could be Microsoft Active Directory (MS AD).
The CA Identity management solutions use this feature to send TSS changes from the mainframe to CA IdM, CA IdM then 'syncs' the changes to every node being managed.
CA IdM also has a MS AD hook that sends changes from MS AD to CA IdM, then it syncs to all nodes including CA TSS.

Hope this helps explain where you'd use LDS versus where to use CPF When any operation (add/modify/delete/search) is sent to the LDAP Server, it issues a native TSS command as if it was typed at a TSO prompt via the R_admin() callable service.
TSS will then use whatever CPF propagation rules are in place just like it does for a TSO command. So yes LDAP operations will be propagated via CPF if automatic TARGET() settings are in place.
Can you override this, absolutely.
If you review the objectClass definition for acids/profiles at: https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure- the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server/objectclass-tssacid-tssprofile-tssdept-tssdiv- tsszone-tssgroup
You’ll see that the LDAP attribute ‘Target-Nodes-for-Cmds’ maps to the TSS TARGET() field and can be used to pass the value used in the TARGET(xxx) parm.