RACF Connector

The Java-based RACF connector extends the Java-based LDAP Connector. It provisions the RACF system through the IBM Tivoli Directory Server for z/OS. See IBM’s web page https://www.ibm.com/docs/en/zos/2.5.0?topic=tivoli-directory-server-zos for more information on the Tivoli Directory Server.

The connector evaluates the same configuration properties as the LDAP Connector.

The connector is implemented in the class siemens.dxm.connector.racf.RacfConnector.

It implements the following functional changes compared to the LDAP connector:

  • User-group memberships are managed in extra connect entries in RACF.

  • User default groups are set by the connector as calculated by the userhook of the workflow’s accounts channel.

  • Disabling / enabling a RACF user is realized by setting the appropriate values in the attribute “racfAttributes”.

  • For resetting an existing password, the connector first sets the new password in the attribute racfPassword of the RACF user and then performs an extra bind operation with this user, providing the old and the new password.

  • Binding to the RACF system can be certificate-based (SASL bind) in the same way as for the LDAP connector.

Prerequisites

The RACF connector has the following prerequisites:

  • The connector accesses a z/OS or OS/390 RACF system via the LDAP protocol. Therefore, a separate IBM Tivoli Directory Server is required per RACF system.

  • An LDAP service account must be set up in the RACF database to be able to administer all users and groups. This user needs the RACF authorization "advanced".

Limitations

The RACF connector has the following limitations:

  • The connector does not support nested groups. Nested group assignments cannot be read nor written.

  • The workflow and the connector do not handle the RACF group member limit for groups that are not default groups.

Limitations of RACF via LDAP (SDBM)

The IBM LDAP access to RACF (via the SDBM backend) imposes some limitations regarding filters, returned attributes and number of returned entries. For details, see the IBM documentation, for example: https://www.ibm.com/docs/en/zos/2.5.0?topic=behavior-sdbm-search-capabilities.

Sample Requests

For sample requests, see the chapter on the LDAP Connector. This chapter contains just a few samples to highlight aspects specific to RACF.

In the RACF Tivoli Directory, users, groups, and connect objects are typically in their own sub-trees:

  • Users in profiletype=USER, …

  • Groups in profiletype=GROUP, …

  • Connect objects in profiletype=CONNECT, …

Search Request

The following sample request searches for a single user identified by its racfid and lists the attributes to be returned.

Note that for filtering only a subset of attributes can be used. See the RACF documentation for details.

<spml:searchRequest xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"
                xmlns:spml="urn:oasis:names:tc:SPML:1:0">
     <spml:searchBase type="urn:oasis:names:tc:SPML:1:0#GenericString">
         <spml:id>profiletype=USER,cn=RACF,o=someNS</spml:id>
     </spml:searchBase>
     <filter>
            <dsml:equalityMatch name="racfid">
                     <dsml:value>UZ00001</dsml:value>
            </dsml:equalityMatch>
     </filter>
     <spml:attributes>
              <dsml:attribute name="racfid"/>
              <dsml:attribute name="racfprogrammername"/>
              <dsml:attribute name="racfattributes"/>
     </spml:attributes>
     <spml:operationalAttributes>
              <spml:attr name="scope">
                      <dsml:value>subtree</dsml:value>
              </spml:attr>
     </spml:operationalAttributes>
</spml:searchRequest>

Modify Membership and Enable a RACF User

The following request re-enables an account and adds a group membership. Note that the enable / disable is performed via RACF attribute racfAttributes and that it is enough to manage the memberships in the artificial user attribute “member”. The connector performs the appropriate changes in the connect entries in the sub-tree profiletype=CONNECT.

<spml:modifyRequest>
     <spml:identifier type = "urn:oasis:names:tc:SPML:1:0#DN">
              <spml:id>racfid=UIATES1,profiletype=USER,o=someNS</spml:id>
     </spml:identifier>
     <spml:modifications>
               <dsml:modification name="racfAttributes" operation="replace">
                         <dsml:value>RESUME</dsml:value>
               </dsml:modification>
               <dsml:modification name="member" operation="add">
                        <dsml:value>racfid=GIAMTES1,profiletype=GROUP, o=someNS</dsml:value>
               </dsml:modification>
     </spml:modifications>
</spml:modifyRequest>

Change a Password

The following request changes the password for a RACF user. Note that the old password must be provided as the operational attribute “currentpassword”.

<spml:modifyRequest>
     <spml:identifier type = "urn:oasis:names:tc:SPML:1:0#DN">
              <spml:id>racfid=UIATES1,profiletype=USER,o=someNS</spml:id>
     </spml:identifier>
     <spml:modifications>
              <dsml:modification name="racfPassword" operation="replace">
                       <dsml:value>the-new-password</dsml:value>
              </dsml:modification>
</spml:modifications>
     <spml:operationalAttributes>
              <spml:attr name="currentpassword">
                       <dsml:value>the-old-password</dsml:value>
              </spml:attr>
     </spml:operationalAttributes>
</spml:modifyRequest>