racf-suffix
Use this stanza entry to set Whether to treat all suffixes under the server:<instance> stanza as RACF suffixes.
racf-suffix = { yes | no }
Description
When this stanza entry is set to "yes", all the suffixes defined under the server:<instance> stanza are treated as RACF suffixes.
Take the following points into consideration when We use RACF suffixes:
- RACF suffix users can only be searched for using two attributes: "racfid" and "krbprincipalname". RACF Security Verify Access basic users can only be searched for using the "racfid" and not the "krbprincipalname" attribute.
- It is possible that not all members of a RACF group of type "UNIVERSAL" will be returned. Only the members returned by the group's "racfgroupuserids" attribute will be listed.
- If importing groups or users as full Security Verify Access entities, the primary Security Verify Access registry must provide attribute definitions of all attributes used in the user or group DN. The attributes "profileType" and "racfid" must always be defined as these are always present in RACF user and group DNs. The embedded LDAP server used by ISAM contain definitions for "profileType", "racfid", and "sysplex". External LDAP Security Verify Access primary registries might also need updating to add the missing attribute definitions.
- The RACF suffixes provided must have "profileType=user", "profileType=group", and "profileType=connect" children entries directly under them.
- The pdadmin "user list-dn" and "group list-dn" operations normally use an LDAP filter that matches the "cn" of each user or group entry. For RACF suffixes, it will instead match the "racfid" of the user or group as RACF users do not have a "cn" attribute.
- The pdadmin "user list-dn" and "group list-dn" operations on RACF suffixes will also support the "?" (match any one character) wildcard character as this wildcard cannot be disabled (even though it is non-standard for LDAP search filters).
- A user show command will display the "racfid" value for "cn" and "sn" as these values do not exist for RACF users.
- The user create command will ignore the "sn" value provided and will use the "cn" value provided for creating the "racfid" value.
- The group create command will use the "cn" value provided for creating the "racfid" value.
Options
yes Treat all suffixes as RACF suffixes. no Do not treat all suffixes as RACF suffixes.
Usage: Optional
Default value no
Example:
racf-suffix = no
Parent topic: [server:<instance>] stanza