LDAP integration
|
LDAP integration |
|
|
XCICS/TS may use LDAP servers to define and identify its users, through an LDAPv3 interface. Microsoft Active Directory may also be accessed by XCICS LDAP interface, because Active Directory is LDAP compliant, as described by Microsoft at http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapcomp.mspx. When a region is configured to use LDAP authentication mode (parameter auth_mode set to "ldap"), XCICS/TS will connect, during the startup and the reconfiguration phase, one or more LDAP servers to populate its SNT (Signon table) with the users. So, first of all, an LDAP entry (user) must be created for the XCICS/TS region. When the region starts (or is being reconfigured) it connects the LDAP server with the its own credentials, and it searches the users that will populate its SNT. XCICS/TS recognizes the LDAP users to add in its SNT according to three elements:
The search base is the path in the LDAP directory, from which the research of users starts. So, only those users who have a Distinguish Name located under the search base branch may be potential users of the running region. The research is then driven by the LDAP filters of the XCICS userclasses: each userclass provided with an ldap_filter parameter, causes an LDAP research from the search base described above and filtered by the its own filter. Addtionally, XCICS/TS refines these searches forcing the presence of the USERID attribute, which is the field of the entry whose value is used as CICS USERID. Each entry returned by a single userclass filter creates in SNT an XCICS user belonging to the class and identified by the value contained in the USERID attribute. The entry's DN is also stored in the SNT to be used later for user sign-on. If the same user is returned by more than on search, it is defined (and therefore bind) to the first userclass that find it. Afterwards, whenever an operator requests a sign-on (by CESN or EXEC CICS SIGNON), XCICS/TS will connect the LDAP server to authenticate the user's DN with the password provided by the operator. Moreover, according the LDAP server configuration, XCICS/TS permits to the users to manage their passwords, and, and if the LDAP client library supports the necessary APIs, it may notify the (through CESN of EXEC CICS SIGNON) the following states:
For further information on LDAP filters and search bases, please refer to your LDAP server documentation or to RFC2254 ( The String Representation of LDAP Search Filters). Runtime configuration To make use of LDAP authentication mode, an LDAP client must be installed on the system. The XCICS/TS LDAP interface must be re-compiled with the headers of the installed LDAP implementation and then linked with the LDAP client API libraries. The LDAP client must support the LDAPv3 protocol, and its APIs must conform to RFC1823 (The LDAP Application Program Interface). For further information on runtime configuration and linking, please refer to the "Installation Guide". LDAP configuration To allow a region to connect an LDAP server and retrieve users, an LDAP user for the region must be defined. The user must be able to connect the LDAP server and to browse entries. The password for this user should not be bind to any password expiration policy, to avoid unexpected situations. An example LDAP user for the region: ldapsearch -h linux64 -D "uid=cicslx02,ou=People,dc=example,dc=com" -xw secret \ Region configuration When the LDAP user is created, the region must be configured to access the LDAP server and retrieve the users. Therefore, the region authentication mode must be set to "ldap" and the following information must be provided:
I.e. set auth_mode=ldap;
Userclass configuration As described before, the LDAP users retrieval is driven by XCICS userclasses. This means that only those LDAP users whose attributes satisfy the userclass filter are defined in SNT and therefore will be able to sig-on in the region. For each userclass you want to bind LDAP users, you have to provided a valid LDAP filter in the ldap_filter parameter. I.e. define userclass name=DEVELOPE, opid=DVP, auth="1-32", opclass=FFFFFF, The USERID attribute As well known, CICS (and so XCICS) identifies each operator by an 8 bytes unique identifier, called USERID. When the users are retrieved from LDAP, XCICS/TS requires to know their USERID: the USERID attribute is the LDAP field whose value contains the user's USERID. Due to this reason, the searches for users defined in the userclasses are restricted only to those entries containing an USERID attribute. By default, XCICS/TS retrieves the USERID from the LDAP attribute named "uid", according to the ISO definition of the LDAP class "inetOrgPerson". If you want to store the user's USERID in a different attribute, you may set the parameter ldap_attribute_userid to the name of the your desired attribute. So, if the parameter ldap_userid_attribute is not defined in the configuration field, XCICS will extract from LDAP all the users under the configured search base, who satisfy the userclass filters and containing the attribute "uid", whose value will be use as USERID. If, for example, the USERID is contained in an attribute that is not "uid", you have to set the ldap_attribute_userid parameter with the name of the attribute that contains it. I.e. set ldap_attribute_userid="myXcicsUserid";
In this situation, XCICS will extract from LDAP all the users under the configured search base, who satisfy the userclass filters and containing the attribute "myXcicsUserid": the value of this attribute will be the USERID of the user. Anyway, the value of the USERID attribute must be 8 bytes long: if the value should be longer, XCICS will use only the first 8 bytes. The USERNAME attribute By default, the USERNAME of the users (that is the value returned by ASSIGN USERNAME) is retrieved by the value of the attribute named "cn" (Common Name). If you want to get the USERNAME from a different attribute you may set the parameter ldap_attribute_username. I.e. set ldap_attribute_username="sn";
Passwords Normally XCICS handles only uppercase passwords up to 8 characters long. When in LDAP authentication mode, XCICS/TS may handle password up to 32 characters. Additionally, by means of the mixedcase_passwords, you may decide to allow the usage of mixed case passwords. I.e. set mixedcase_passwords=yes;
Configuration verification To verify the exactness of the configuration as well as to discover eventual problems, the best system is to use an LDAP searching tool to perform the same search XCICS/TS would do, and check if the returned entries satisfy the userclass you are analyzing. The search should be qualified by:
So, if using the OpenLDAP search tool: ldapsearch -h linux64 \ A practical example This is an example XCICS/TS configuration for LDAP: set auth_mode=ldap;
This configuration will cause the following:
In terms of LDAP search, the userclass "DEVELOPE" is the result of the search shown in the previous paragraph. |