z/OS LDAP Changelog Connector

IBM Tivoli Directory Integrator

z/OS LDAP Changelog Connector

The z/OS LDAP Changelog Connector is a specialized instance of the LDAP Connector. It is configured for usage with a z/OS Directory Server, accessed using the LDAP protocol over TCP/IP ("zLDAP").

There are some differences in the way the changes to password policy operational attributes are logged to cn=changelog in IBM Tivoli Directory Server on z/OS and in Distributed IBM Tivoli Directory Server (which runs on other platforms). See Differences between changelog on distributed TDS and z/OS TDS for details on the currently known differences in behavior between the two versions.

This connector supports Delta Tagging, at the Entry level, the Attribute level and the Attribute Value level. It is the LDIF Parser that provides delta support at the Attribute and Attribute Value levels.

This connector is able to intercept changes from the changelog of a RACF (Resource Access Control Facility) LDAP server. RACF is the security manager of z/OS and it maintains a database containing usernames and passwords. Changes to this database can be logged in the changelog of an LDAP server such as IBM Tivoli Directory Server (TDS). The changelog of this server can be accessed trough the GDBM LDAP interface and the RACF database itself - through the SDBM interface. This connector is suitable for propagating changes of sensitive information (usernames, passwords, and so forth) across LDAP servers on different z/OS machines or other distributed platforms.

The Connector will detect modrdn operations in the Server's changelog, see Detect and handle modrdn operation for more information.

This component is not available in the TDI 7.1 General Purpose Edition.

Attribute merge behavior

In older versions of TDI, in the z/OS LDAP Changelog Connector merging occurs between Attributes of the changelog Entry and changed Attributes of the actual Directory Entry. This creates issues because we cannot detect the attributes that have changed. The TDI 7.1 version of the Connector has logic to address these situations, configured by a parameter: Merge Mode. The modes are:

Merge changelog and changed data - The Connector merges the attributes of the Changelog Entry with changed attributes of the actual Directory Entry. This is the older implementation and keeps backward compatibility.
Return only changed data - Returns only the modified/added attributes and makes Changelog Iterator and Delta mode easier. This is the default; note that in configurations developed under and migrated from earlier versions of TDI, you may need to select Merge changelog and changed data manually so as to ensure identical behavior.
Return both - Returns an Entry which contains changed attributes of the actual Directory Entry and an additional attribute called "changelog" which contains attributes of the Changelog Entry. Allows you to easily distinguish between two sets of Attributes.

Delta tagging is supported in all merge modes and entries can be transferred between different LDAP servers without much scripting.

Configuration

The Connector needs the following parameters:

LDAP URL

The LDAP URL for the connection (ldap://host:port).

Login username

The LDAP distinguished name used for authentication to the server. Leave blank for anonymous access.

Login password

The credentials (password).

Authentication Method

Type of LDAP authentication. Can be one of the following:

Anonymous - If this authentication method is set then the server, to which a client is connected, does not know or care who the client is. The server allows such clients to access data configured for non-authenticated users. The Connector automatically specifies this authentication method if no username is supplied. However, if this type of authentication is chosen and Login username and Login password are supplied, then the Connector automatically sets the authentication method to Simple.
Simple - using Login username and Login password. Treated as anonymous if Login username and Login password are not provided. Note that the Connector sends the fully qualified distinguished name and the client password in cleartext, unless you configure the Connector to communicate with the LDAP Server using the SSL protocol.
CRAM-MD5 - This is one of the SASL authentication mechanisms. On connection, the LDAP Server sends some data to the LDAP client (that is, this Connector). Then the client sends an encrypted response, with password, using MD5 encryption. After that, the LDAP Server checks the password of the client. CRAM-MD5 is supported only by LDAP v3 servers. It is not supported against any supported versions of Tivoli Directory Server.
SASL - The client (this Connector) will use a Simple Authentication and Security Layer (SASL) authentication method when connecting to the LDAP Server. Operational parameters for this type of authentication will need to be specified using the Extra Provider Parameters option; for example, in order to setup a DIGEST-MD5 authentication we will need to add the following parameter in the Extra Provider Parameters field:
```
java.naming.security.authentication:DIGEST-MD5
```
For more information on SASL authentication and parameters see: http://java.sun.com/products/jndi/tutorial/ldap/security/sasl.html.

Not all directory servers support all SASL mechanisms and in some cases do not have them enabled by default. Check the documentation and configuration options for the directory server you are connecting to for this information.

Use SSL

If Use SSL is true (that is, checked), the Connector uses SSL to connect to the LDAP server. Note that the port number might need to be changed accordingly.

ChangeLog Base

The search base where the Changelog is kept. The standard DN for this is cn=changelog.

Extra Provider Parameters

Allows you to pass a number of extra parameters to the JNDI layer. It is specified as name:value pairs, one pair per line.

Iterator State Key

Specifies the name of the parameter that stores the current synchronization state in the User Property Store of the IBM TDI. This must be a unique name for all parameters stored in one instance of the IBM TDI User Property Store.

Start at

Specifies the starting changenumber. Each Changelog entry is named changenumber=intvalue and the Connector starts at the number specified by this parameter and automatically increases by one. The special value EOD means start at the end of the Changelog.

State Key Persistence

Governs the method used for saving the Connector's state to the System Store. The default is End of Cycle, and choices are:

After read: Updates the System Store when you read an entry from the directory server's change log, before you continue with the rest of the AssemblyLine.
End of cycle: Updates the System Store with the change log number when all Connectors and other components in the AssemblyLine have been evaluated and executed.
Manual: Switches off the automatic updating of the System Store with this Connector's state information; instead, we will need to save the state by manually calling the z/OS LDAP Changelog Connector's saveStateKey() method, somewhere in your AssemblyLine.

Merge mode

Governs the method used for merging attributes of the Changelog Entry and changed attributes of the actual Directory Entry. The default is Return only changed data. The possible values are:

Merge changelog and changed data - Pre-7.0 implementation; for backward compatibility.
Return only changed data - Returns only the modified/added attributes.
Return both - Returns changed attributes of the actual Directory Entry, plus an additional attribute called "changelog" that contains an Entry with changelog attributes.

Timeout

Specifies the number of seconds the Connector waits for the next Changelog entry. The default is 0, which means wait forever.

Sleep Interval

Specifies the number of seconds the Connector sleeps between each poll. The default is 60.

Detailed Log

If this field is checked, additional log messages are generated.

Changing Timeout or Sleep Interval values will automatically adjust its peer to a valid value after being changed (for example, when timeout is greater than sleep interval the value that was not edited is adjusted to be in line with the other). Adjustment is done when the field editor loses focus.