I have z/VM 5.4 with the native CMS LDAP server and RACF. I'm trying to
get it configured so my Linux guests can authenticate via LDAP. I have
been through the following documents:
Security on z/VM
TCP/IP LDAP Administration Guide
TCP/IP Planning and Customization
Rich Smrcina's "Configuring LDAP on z/VM and Linux"
Alan Altmark's "Securing Linux using LDAP with z/VM RACF"
All of these documents have helped me to a point...
As long as I bind to LDAP as LDAPADM, the administrator, I can retrieve
data with an LDAPSRCH (and ldapsearch under Linux). As soon as I try to
bind as any other user to retrieve data, it fails. This command is
issued after adding the user to LDAP via an LDIF file:
ldapsrch -h 127.0.0.1 -D "cn=user1,o=ibm" -w *masked* -s base -b o=ibm
"objectclass=*"
it fails with:
ldap_sasl_bind_s: Operations error
ldap_sasl_bind_s: additional info: R004176 The __passwd() function
failed with error 164 (srv_authenticate_native_password)
user1 is in RACF. It also has an enveloped password:
USER=USER1 NAME=UNKNOWN OWNER=SYS1 CREATED=09.195
DEFAULT-GROUP=SYS1 PASSDATE=09.267 PASS-INTERVAL= 60 PHRASEDATE=N/A
PASSWORD ENVELOPED=YES
ATTRIBUTES=SPECIAL OPERATIONS
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=09.267/10:18:13
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=SYS1
CONNECT-DATE=09.195
CONNECTS= 54 UACC=NONE LAST-CONNECT=09.267/10:18:13
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
This using the same search command as above without the user in the LDAP
database, the result is:
ldap_sasl_bind_s: Credentials are not valid
ldap_sasl_bind_s: additional info: R004062 Credentials are not valid
(ldbm_authenticate_user)
from Linux, I can issue this command and successfully execute a search,
if I reference the RACF account:
ldapsearch -x -h 10.0.0.1 -D "racfid=user1,profiletype=user,cn=racfvm"
-W -L -b o=ibm "objectclass=*"
I am obviously missing something here. I don't understand what that
might be, so I'm appealing to the group for assistance.
For reference, I will include the LDAP server's initialization messages:
Server Configuration
adminDN: cn=ldapadm, o=ibm
adminPW: *not configured*
allowAnonymousBinds: on
armName: GLDSRVR
audit 1: off
commThreads: 10
db2StartUpRetryInterval: 45
db2StartUpRetryLimit: 0
db2Terminate: recover
dnCacheSize: 1000
idleConnectionTimeout: 0
listen 1: ldap://:389
listen 2: ldap://:pc
listen 3: ldaps://:636
logfile: /etc/ldap/gldlog.output
maxConnections: 65535
operationsMonitor: IPANY
operationsMonitorSize: 1000
pcIdleConnectionTimeout: 0
pcThreads: 10
pwSearchOutput: binary
schemaPath: /var/ldap/schema
schemaReplaceByValue: on
securityLabel: off
sendV3StringsOverV2As: UTF-8
serverEtherAddr: 4020971CBEDB
serverSysplexGroup: undefined
sizeLimit: 500
srvStartUpError: terminate
sslAuth: serverAuth
sslCertificate: LDAPsslVM5
sslCipherSpecs: 050435363738392F303132330A1613100D0915120F0C0306
sslKeyRingFile: /var/ldap/IRR.PWENV.KEYRING
sslMapCertificate: off fail
supportKrb5: off
tcpTerminate: recover
timeLimit: 3600
validateIncomingV2Strings: on
database GDBM GLDBGD31 GDBM-0001
changeLogging: on
changeLoggingParticipant: on
changeLogMaxAge: 0
changeLogMaxEntries: 0
commitCheckpointEntries: 10000
commitCheckpointTOD: 00:00
databaseDirectory: /var/ldap/gdbm
fileTerminate: recover
filterCacheBypassLimit: 100
filterCacheSize: 0
multiServer: off
persistentSearch: off
readOnly: off
sizeLimit: 500
suffix 1: CN=CHANGELOG
timeLimit: 3600
database LDBM GLDBLD31 LDBM-0002
changeLoggingParticipant: on
commitCheckpointEntries: 10000
commitCheckpointTOD: 00:00
databaseDirectory: /var/ldap/ldbm
extendedGroupSearching: off
fileTerminate: recover
filterCacheBypassLimit: 100
filterCacheSize: 5000
krbIdentityMap: off
multiServer: off
nativeAuthSubtree 1: O=IBM
nativeUpdateAllowed: on
persistentSearch: off
pwCryptCompat: on
pwEncryption: none
readOnly: off
secretEncryption: none
sizeLimit: 500
suffix 1: o=ibm
timeLimit: 3600
useNativeAuth: all
database SDBM GLDBSD31 SDBM-0003
krbIdentityMap: off
readOnly: off
sizeLimit: 500
suffix 1: cn=RACFVM
timeLimit: 3600
Thanks in advance,
Dave Keeton
State of Oregon
