Suffix definitions

Security Verify Access processes all defined LDAP suffixes by default.

If suffixes are defined on the LDAP server that must not be used by ISAM, add them to the /access_mgr_install_dir/etc/ldap.conf file using the ignore-suffix keyword when we configure IBM Security Verify Access for LDAP on z/OS®. For example:

ignore-suffix = sysplex=UTCPLXJ8
ignore-suffix = "o=Your Company"
ignore-suffix = o=MQuser 

In this example, the sysplex=UTCPLXJ8 suffix is used to access the z/OS SDBM (RACF®) database. The LDAP administrator ID used by ISAM during configuration is not a RACF user ID on the z/OS system and does not have the authority to do SDBM searches. If this suffix was not added to the ignore-suffix list, Security Verify Access receives a return code x'32' - LDAP_INSUFFICIENT_ACCESS, during configuration.

The other suffixes in the list are used by other applications on z/OS and can be ignored by ISAM.

ISAM supports LDAP failover and load balancing for read operations. If we configured a replica server, we can provide the replica host name to ISAM in the ldap.conf file, which is installed with ISAM in the etc subdirectory.

Parent topic: IBM Tivoli Directory Server for z/OS installation