friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyldapops.htm

239 lines
13 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - LDAP operations</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyldapops"></a>
<h3 id="rzahyldapops">LDAP operations</h3>
<p>The following are the LDAP operations that can be performed using the projected
user profiles.</p>
<p><span class="bold">Bind</span></p>
<p>An LDAP client can bind (authenticate) to the LDAP server using a projected
user profile. This is accomplished by specifying the projected user profile
distinguished name (DN) for the bind DN and the correct user profile password
for authentication. An example of a DN used in a bind request would be <tt class="xph">os400-profile=jsmith,cn=accounts,os400-sys=systemA.acme.com</tt>.</p>
<p>A client must bind as a projected user to access information in the system
projected backend.</p>
<p>Two additional mechanisms are available to authenticate to the directory
server as a projected user:</p>
<ul>
<li>GSSAPI SASL bind. If the operating system is configured to use Enterprise
Identity Mapping (EIM), the directory server queries EIM to determine if there
is an association to a local user profile from the initial Kerberos identity.
If there is such an association, the server will associate the user profile
with the connection and it can be used to access the system projection backend.
For more information about EIM, see the <a href="../rzalv/rzalvmst.htm">EIM</a> topic.</li>
<li>OS400-PRFTKN SASL bind. A profile token can be used to authenticate to
the directory server. The server associates the profile token user profile
with the connection.</li></ul>
<p>The server performs all of the operations using the authority of that user
profile. The projected user profile DN can also be used in LDAP ACLs like
other LDAP entry DNs. The simple bind method is the only bind method that
is allowed when a projected user profile is specified on a bind request.</p>
<p><span class="bold">Search</span></p>
<p>The system projected backend supports some basic search filters. You can
specify the objectclass, os400-profile, and os400-gid attributes in search
filters. The os400-profile attribute supports wildcards. The os400-gid attribute
is limited to specifying <tt class="xph">(os400-gid=0)</tt>, which is an individual
user profile, or <tt class="xph">!(os400-gid=0)</tt>, which is a group profile.
You can retrieve all attributes of a user profile except the password and
similar attributes.</p>
<p>For certain filters, only the DN objectclass and os400-profile values are
returned. However, subsequent searches can be conducted to return more detailed
information.</p>
<p>The following table describes the behavior of the system projected backend
for search operations.</p>
<a name="wq71"></a>
<table id="wq71" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">
<caption>Table 3. System projected backend behavior for search operations</caption>
<thead valign="bottom">
<tr class="tablemainheaderbar">
<th id="wq72" width="15%" align="left" valign="top">Search requested</th>
<th id="wq73" width="24%" align="left" valign="top">Search base</th>
<th id="wq74" width="13%" align="left" valign="top">Search scope</th>
<th id="wq75" width="23%" align="left" valign="top">Search filter</th>
<th id="wq76" width="22%" align="left" valign="top">Comments</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td headers="wq72">Return information for os400-sys=SystemA, (optionally)
for the containers under it, and (optionally) for the objects in those containers.</td>
<td headers="wq73">os400-sys=SystemA.acme.com</td>
<td headers="wq74">base, sub, or one</td>
<td headers="wq75">objectclass=*
<br />objectclass=os400-root
<br />objectclass=container
<br />objectclass=os400-usrprf</td>
<td headers="wq76">Return the appropriate attributes and their values based
on the scope and filter specified. Hardcoded attributes and their values are
returned for the system objects' suffix and the container under it.</td>
</tr>
<tr>
<td headers="wq72">Return all user profiles.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">os400-gid=0</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
<tr>
<td headers="wq72">Return all group profiles.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">(!(os400-gid=0))</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
<tr>
<td headers="wq72">Return all user and group profiles.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">os400-profile=*</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
<tr>
<td headers="wq72">Return information for a specific user or group profile
such as the user profile JSMITH.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">os400-profile=JSMITH</td>
<td headers="wq76">Other attributes to be returned can be specified.</td>
</tr>
<tr>
<td headers="wq72">Return information for a specific user or group profile
such as the user profile JSMITH.</td>
<td headers="wq73">os400-profile=JSMITH, cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">bas, sub, or one</td>
<td headers="wq75">objectclass=os400-usrprf
<br />objectclass=*
<br />os400-profile=JSMITH</td>
<td headers="wq76">Other attributes to be returned can be specified. Even
though a scope of one level can be specified, the search results would return
no values because there is nothing below the user profile JSMITH in the DIT.</td>
</tr>
<tr>
<td headers="wq72">Return all user and group profiles starting with A.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">os400-profile=A*</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
<tr>
<td headers="wq72">Return all group profiles starting with G.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">(&amp;(!(os400-gid=0)) (os400-profile=G*))</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
<tr>
<td headers="wq72">Return all user profiles starting with A.</td>
<td headers="wq73">cn=accounts, os400-sys=SystemA.acme.com</td>
<td headers="wq74">one or sub</td>
<td headers="wq75">(&amp;(os400-gid=0) (os400-profile=A*))</td>
<td headers="wq76">Only the distinguished name (DN), objectclass, and os400-profile
values are returned for projected user profiles. If any other filter is specified,
LDAP_UNWILLING_
<br />TO_PERFORM is returned.</td>
</tr>
</tbody>
</table>
<p><span class="bold">Compare</span></p>
<p>The LDAP compare operation can be used to compare an attribute value of
a projected user profile. The os400-aut and os400-docpwd attributes cannot
be compared.</p>
<p><span class="bold">Add and modify</span></p>
<p>You can create user profiles using the LDAP add operation and you can also
change user profiles using the LDAP modify operation.</p>
<p><span class="bold">Delete</span></p>
<p>User profiles can be deleted using the LDAP delete operation. To specify
the behavior of the DLTUSRPRF OWNOBJOPT and PGPOPT parameters, two LDAP server
controls are now provided. These controls can be specified on the LDAP delete
operation. Refer to the Delete User Profile (DLTUSRPRF) command for more information
about the behavior of these parameters.</p>
<p>The following are the controls and their object identifiers (OIDs) that
can be specified on the LDAP delete client operation.</p>
<ul>
<li>
<div class="lines">os400-dltusrprf-ownobjopt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1.3.18.0.2.10.8<br />
</div>The control value is a string of the following form:
<ul>
<li>controlValue ::= ownObjOpt [ newOwner]</li>
<li>ownObjOpt ::= *NODLT / *DLT / *CHGOWN</li></ul>The ownObjOpt control value specifies the action to be taken if the user
profile owns any objects. The value of *NODLT indicates not to delete the
user profile if the user profile owns any objects. The *DLT value indicates
to delete the owned objects and the *CHGOWN value indicates to transfer ownership
to another profile.
<p>The newOwner value specifies the profile to which ownership
is transferred. This value is required when ownObjOpt is set to *CHGOWN.</p>
<p>Examples of the control value are the following:</p>
<ul>
<li>*NODLT: specifies that the profile cannot be deleted if it owns any objects</li>
<li>*CHGOWN SMITH: specifies to transfer the ownership of any objects to the
SMITH user profile.</li></ul></li>
<li>The object identifier (OID) is defined in ldap.h as LDAP_OS400_OWNOBJOPT_CONTROL_OID.
<ul>
<li>
<div class="lines">os400-dltusrprf-pgpopt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1.3.18.0.2.10.9<br />
</div>
<p>The control value is defined as a string of the following form:</p>
<div class="lines">controlValue ::=pgpOpt [&nbsp;&nbsp;&nbsp;newPgp [&nbsp;&nbsp;&nbsp;newPgpAut ] ]<br />
pgpOpt ::= *NOCHG / *CHGPGP<br />
newPgp ::= *NONE / user-profile-name<br />
newPgpAut ::= *OLDPGP / *PRIVATE / *ALL / *CHANGE / *USE / *EXCLUDE<br />
</div><p class="indatacontent">The pgpOpt value specifies the action to be taken if the profile being
deleted is the primary group for any objects. If *CHGPGP is specified, newPgp
must also be specified. The newPgp value specifies the primary group profile
name or *NONE. If a new primary group profile is specified, the newPgpAut
value can also be specified. The newPgpAut value specifies the authority to
the objects that the new primary group is given.</p></li></ul>Examples of the control value are the following:
<ul>
<li>*NOCHG: specifies that the profile cannot be deleted if it is the primary
group for any objects.</li>
<li>*CHGPGP *NONE: specifies to remove the primary group for the objects.</li>
<li>*CHGPGP SMITH *USE: specifies to change the primary group to the SMITH
user profile and to grant *USE authority to the primary group.</li></ul>If either of these controls is not specified on the delete, the defaults
currently in effect for the QSYS/DLTUSRPRF command are used instead.</li></ul>
<p><span class="bold">ModRDN</span></p>
<p>You cannot rename projected user profiles because this is not supported
by the operating system.</p>
<p><span class="bold">Import and Export APIs</span></p>
<p>The QgldImportLdif and QgldExportLdif APIs do not support importing or
exporting data within the system projected backend.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink