When I try to list RACF objects (groups, permissions and users) from an LDAP browser, for example, JXplorer, the list fails with LDAP: error code 49 - ICH408 and CSV025I.
Messages similar to these may be seen regarding the RACF address space userID.
BPXM023I (CALDAP) 096
LDP4904I CA LDAP Server is processing a SEARCH CLASS(USER) for all
USERS per a request from IP=22.214.171.124:4460 on behalf of IAMTEST
ICH408I USER(RACF ) GROUP(STCGROUP) NAME(STC RACF ) 097
SETROPTS CL(PROGRAM )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
CSV025I PROGRAM CONTROLLED MODULE SETROPTS NOT ACCESSED, USER UNAUTHORIZED
IEF196I CSV025I PROGRAM CONTROLLED MODULE SETROPTS NOT ACCESSED, USER
CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF
IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF
This can be resolved by setting the TRUSTed attribute to the RACF subsystem address space profile.
Within the RACF_UTF Backend, the use of the R_Admin callable service requires that you assign the TRUSTed attribute to the RACF subsystem address space profile. A TRUSTED address space is treated as part of the trusted computing base. Contact your security administrator for implementation.
See the IBM z/OS MVS Initialization and Tuning Reference z/OS section "Assigning the RACF TRUSTED Attribute" for more information.