Here's one that works for me. It asks if a userid is connected to a certain RACF group.
LDAPSRCH -v -h MVSHOST1 -p 3389 - -D racfid=LDAPBIND,profileType=user,sysplex=BOSCOVS_RACF - -w BINDER - -b profiletype=connect,sysplex=BOSCOVS_RACF - "(&(racfuserid=tsouser)(racfgroupid=DIALGRP))" On Thursday 05 June 2003 15:02, you wrote: > > You're welcome, but did it help you to the point you're working > > now? > > I thought it would be a piece of cake after reading that redpaper... > but after much trial and error, I'm still having problems. > > Here's what I'm up to... > > pam.d/httpd is a mere: > auth required pam_ldap.so > account required pam_ldap.so > password required pam_ldap.so > > Which should be enough, really. > > /etc/openldap/ldap.conf is: > host (host is fine) > base profiletype=user,sysplex=TIMEPLEX > binddn racfid=(racfid),profiletype=user,sysplex=TIMEPLEX > bindpw (password in plain text) > ldap_version 3 > pam_login_attribute racfid > SASL_SECPROPS = none > > That racfid is from somebody with AUDITOR > > The messages I'm getting now are: > Jun 5 14:38:20 linmast httpd: nss_ldap: could not search LDAP server > - Insufficient access > Jun 5 14:38:20 linmast last message repeated 15 times > Jun 5 14:38:23 linmast httpd: pam_ldap: ldap_search_s Insufficient > access > > Though in the past I also saw: > Jun 5 14:19:43 linmast httpd: nss_ldap: could not search LDAP server > - DSA is unwilling to perform, but that was when I had ldap in > nsswitch.conf. > > With ldapsearch I have to use -x or the bind fails, so I've tried > with and without the SASL_SECPROPS none. Ldapsearch worked with -P 3 > so ldap_version 3 should not be breaking anything. > > And ldapsearch -x -D "(racfid),profiletype=user,sysplex=TIMEPLEX" -W > -b "racfid=(someoneelse),profiletype=user,sysplex=TIMEPLEX" > "objectclass=*" works fine. It fails if I don't specify the -D -W > though... Perhaps incorrectly I thought that ldapsearch would bind > with the dn specified in /etc/openldap/ldap.conf if none was provided > on the command line, but I get: > > text: R000137 'CN=ANYBODY' is not a valid RACF DN for bind. Check > that the syntax is correct and that it is a DN for a RACF user. > > All in all it's a mess. > > ~ Daniel > > > > > > > --------------------------------------------------------------------- >-- > > This message is the property of Time Inc. or its affiliates. It may > be legally privileged and/or confidential and is intended only for > the use of the addressee(s). No addressee should forward, print, > copy, or otherwise reproduce this message in any manner that would > allow it to be viewed by any individual not originally listed as a > recipient. If the reader of this message is not the intended > recipient, you are hereby notified that any unauthorized disclosure, > dissemination, distribution, copying or the taking of any action in > reliance on the information herein is strictly prohibited. If you > have received this communication in error, please immediately notify > the sender and delete this message. Thank you.