CA Top Secret

Tuesday Tip: How can the CA LDAP Server search operation to perform authorization checks against the CA ACF2 Security database?

  • 1.  Tuesday Tip: How can the CA LDAP Server search operation to perform authorization checks against the CA ACF2 Security database?

    Posted 10-29-2014 03:48 PM

    The ldapsearch 'RESCHECK' authorization check can be used to perform a resource rule check or dataset rule check. This example ldapsearch is being done by logonid USER002 which has a password USER002, performing a dataset access check for dataset SYS1.PARMLIB by logonid usrtest.The file rescheck.inp is created in USS, and executed from OMVS.

     

    LDAPSEARCH RESCHECK Example

     

    EDIT      /u/users/ldapr151/rescheck.inp           Columns0000100072
    Command ===>                                                Scroll ===>PAGE
    *********************************** Top of Data ******************************
    ==MSG>-Warning- The UNDO command is not available until you change           
    ==MSG>          your edit profile using the command RECOVERY ON.             
    000001./ldapsearch -x -D cn=USER002 -w USER002 -h SYS1234 -p 389 -s base -b \
    000002 host=SYS1234.CA.COM,o=TEST,c=us    \                                   
    000003 rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE                      
    ********************************** Bottom of Data ****************************
    Note: "\" is the continuation character for the above command.

     

    * ==================================================================*
    * Example RESCHECK deny
    * ==================================================================*

     

    To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

     

    $ cd /u/users/ldapr151/

    $ rescheck.inp                                                                 
    ldap_bind: Success (0)                                                         
            additional info: ACF01137 USER002 LAST SYSTEM ACCESS 08.52-09/11/14 FROM 8DCA2485                                                                      
    # extended LDIF                                                                
    #                                                                              
    # LDAPv3                                                                       
    # base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject                 
    # filter: rescheck=usrtest,update,dataset,SYS1.PARMLIB,NONE                    
    # requesting: ALL                                                              
    #                                                                              
                                                                                   
    # search result                                                                
    search: 2                                                                      
    result: 50 Insufficient access                                                 
    text: LDP1105E Access denied                                                   
                                                                                   
    # numResponses: 1                                                              
    $          

                                                                       

    * ==================================================================*
    * Example RESCHECK allow(change logonids from usrtest to usrsuper)
    * ==================================================================*

     

    To invoke, Go to OMVS, change directory and execute the rescheck.inp file:

     

    $ cd /u/users/ldapr151/                                                  
    $ rescheck.inp                                                                 
                                                                                   
    ldap_bind: Success (0)                                                         
            additional info: ACF01137 USER002 LAST SYSTEM ACCESS 09.30-09/18/14 FROM
    A28LO903                                                                      
    # extended LDIF                                                                
    #                                                                              
    # LDAPv3                                                                       
    # base <host=SYS1234.CA.COM,o=TEST,c=us> with scope baseObject                 
    # filter: rescheck=usrsuper,update,dataset,SYS1.PARMLIB,NONE                    
    # requesting: ALL                                                              
    #                                                                              
                                                                                   
    # search result                                                                
    search: 2                                                                      
    result: 0 Success                                                              
                                                                                   
    # numResponses: 1   

     

    For details on ldapsearch parameters see the CA LDAP Server for z/OS Product Guide Release 15.1.00, Appendix A: z/OS UNIX System Services Command Line Utilities section 'ldapsearch–Search LDAP Objects'.