the
ldapsearch command or any other ldap
client tool to retrieve user passwords in
clear text format.
Questions: 1) - Is this scenario accurate?
2) - What changes can we make to prevent a 'root' user from
gaining
Servers (ldap) - TIM TAM
Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu
On Wed, 18 Jan 2012 11:14:57 -0600, Bruce Wheatley bwheat...@cds.ca
wrote:
One of our middleware support staff has brought this possible exposure to
our attention
One of our middleware support staff has brought this possible exposure to our
attention:
By using the two-way encryption format, a
super user in ITDS (e.g cn=root) can run the
ldapsearch command or any other ldap client
It doesn't require DB2.
Rob Schramm
Senior Systems Consultant
Imperium Group
You're right of course Rob, but I wanted to point out the potential restriction.
Also note that the SMF logging for LDAP events only has 512 bytes set aside for
DN values.
Geoff Rousell
IBM System z, UK
.
Also note that the SMF logging for LDAP events only has 512 bytes set
aside for DN values.
Geoff Rousell
IBM System z, UK
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists
RACF might enforce certain limits if you're accessing RACF resources via
the z/OS LDAP Server. If you're not doing that -- it's not required to do
that -- then no, I don't think there's any 256 character limit
Arye,
I presume you mean the conventional version of the Tivoli Directory Server
for z/OS, with DB2 as the back-end data store. For this case, it appears that
the *default* maximum DN value is 512, but this can be modified:
In the Tivoli Directory Server Administration and Use manual, in
It doesn't require DB2.
Rob Schramm
Senior Systems Consultant
Imperium Group
On Fri, Dec 9, 2011 at 6:45 AM, Geoff Rousell geoff_rous...@uk.ibm.com wrote:
Arye,
I presume you mean the conventional version of the Tivoli Directory Server
for z/OS, with DB2 as the back-end data store. For
Hello,
I have been asked to confirm that LDAP for z/OS (I belive it called now
TIVOLI DIRECTOR) support long names (256 chracters ore more).
I could not find reference to this issue in the regular books.
If anyone experienced with LDAP for z/OS can confirm (or deny) that long
names are supported
Cool, the newer versions of PL/1 support this, too,
when using the BYVALUE keyword on the ENTRY declarations:
DCL CFUNC ENTRY
(BIN FIXED (31) BYVALUE,
BIN FLOAT (53) BYVALUE,
POINTER BYVALUE)
RETURNS (BIN FIXED(31));
and then:
DCL X BIN FIXED (31);
DCL Y BIN FLOAT (53);
DCL P POINTER INIT
: Bernd Oppolzer bernd.oppol...@t-online.de
To: IBM-MAIN@bama.ua.edu
Sent: Sunday, November 6, 2011 1:10 PM
Subject: Re: C newbie - pass a LDAP handle out to calling routine
When calling C routines from other languages like COBOL or PL/1 (or FORTRAN),
you have to take into account that in C
On Fri, 4 Nov 2011 21:39:43 +, Dave Gibney wrote:
This is my first experience with C, but a language is a language after the
3rd or 4th :)
I'm calling C for LDAP queries from Natural (Software AG 4GL) in batch. And
it works, sort of.
One FM is IBM Tivoli Directory Server Client
In 0de6a9840123e547b061ac5b6765c0261c1...@exmb-05.ad.wsu.edu, on
11/04/2011
at 09:39 PM, Gibney, Dave gib...@wsu.edu said:
This is my first experience with C, but a language is a language
after the 3rd or 4th :)
To some extend, but every language has its quirks.
In
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Bill Godfrey
Sent: Sunday, November 06, 2011 7:53 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: C newbie - pass a LDAP handle out to calling routine
On Fri, 4 Nov 2011 21:39:43 +, Dave
was
to be able to pass that address from ldap_init back out to the non C
driver so that it could be reused by the thousands of calls. The
solution was: extern int ret2nat (int *back_value, LDAP **ld, char
*msg) This pointer to a pointer format allows the fullword in the
calling non C program hold the LDAP
was: extern int ret2nat (int
*back_value, LDAP **ld, char *msg) This pointer to a pointer format allows the
fullword in the calling non C program hold the LDAP handle from call to call.
--
For IBM-MAIN subscribe / signoff
This is my first experience with C, but a language is a language after the
3rd or 4th :)
I'm calling C for LDAP queries from Natural (Software AG 4GL) in batch. And
it works, sort of.
One FM is IBM Tivoli Directory Server Client Programming for z/OS
If I use the sequence ldap_init
it beneficial to display addresses in hex. e.g.
printf(ld before bind :%08X\n,ld);
In article 0de6a9840123e547b061ac5b6765c0261c1...@exmb-05.ad.wsu.edu you
wrote:
This is my first experience with C, but a language is a language after the
3rd or 4th :)
I'm calling C for LDAP queries from Natural
experience with C, but a language is a language after
the 3rd or 4th :)
I'm calling C for LDAP queries from Natural (Software AG 4GL) in batch.
And it works, sort of.
One FM is IBM Tivoli Directory Server Client Programming for z/OS
If I use the sequence ldap_init, ldap_simple_bind_s
State University
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Don Poitras
Sent: Friday, November 04, 2011 3:55 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: C newbie - pass a LDAP handle out to calling routine
Dave,
You need
to
diagnose run-time error.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Gibney, Dave
Sent: Friday, November 04, 2011 4:11 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: C newbie - pass a LDAP handle out to calling routine
First, thanks
, Dave
Sent: Friday, November 04, 2011 4:11 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: C newbie - pass a LDAP handle out to calling routine
First, thanks for the display in hex, that will help me a lot in future C
(if I'm ever here again after this project)
I've found the discussion of cast
I am calling ldap_xxx services from (ref IBM Tivoli Directory Server Client
Programming for z/OS) from IBM C.
I have a CINET environment, the ldap calls are working fine using my default
TCPIP region. In my RTM, I haven't found a way to tell the ldap_xxx to use one
of the other TCPIP(n
Hi List,
We're just about to do this, and don't have much time. Has anyone got any
migration tips so we can avoid gotchas? Currently we are on z/os 1.10, and
are migrating to 1.12.
Thanks,
John Zarzeck
This e-mail and any attachments are confidential and intended solely for the
addressee
Looking for install help on LDAP(TDS)
Asked to setup LDAP on z/OS--1.11
Looking at manual--getting confused...
Purpose is to extract info from RACF..few fields..NON-DB2...just a
flat/seq file...be it OS or zFS file..
Any help would be appreciated...believe I have the samp files at hand
Does the data need to be real-time? If not, have you considered using
IRRDBU00 to unload the RACF database to a sequential file?
--
John McKown
Maranatha!
Sent from my Vibrant Android phone.
On Nov 1, 2010 7:44 AM, Ron Wells rwe...@agfinance.com wrote:
Looking for install help on LDAP(TDS
from what I gather the ldap will be queried ? for information.like
userid/name ..at least what I have been told...
not familiar with irrdbu00 ..
From: John McKown john.archie.mck...@gmail.com
To: IBM-MAIN@bama.ua.edu
Date: 11/01/2010 02:31 PM
Subject:Re: LDAP
Sent
Does anyone have any detailed information on fillling in the required fields on
the LDAP setup screen for the HMC. We are having some issues with what
should be in the search filter field. This is on a Z9.
--
For IBM-MAIN
On Tue, 6 Apr 2010 14:07:06 -0500, Mark Hammack mark.hamm...@gmail.com wrote:
I am attempting to write an LDAP client on z/OS that will bind to AD running
on Windows 2003 Server using the C API. The ldap_init() returns 0 and seems
to connect OK (the only problem I have with this is that I tried
I searched (maybe don't know what to ask) so if this has been discussed,
please point me in the right direction.
I am attempting to write an LDAP client on z/OS that will bind to AD running
on Windows 2003 Server using the C API. The ldap_init() returns 0 and seems
to connect OK (the only
. Actually, I would expect a 'user not
defined' kind of error from Windows upon any number of issues, to include
syntax errors, password error, expired password, etc etc etc.
I'm not sure, but I think Windows' 'flavor' of LDAP may expect to see a
suitably privileged 'bind' ID/password along
, 2009 7:43 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: HMC and LDAP
It is worth noting that we chose to leave the IBM supplied accounts like
SYSPROG, ACSADMIN, SERVICE in place as they are for this exact reason,
however of the 10 accounts defined, only 2 of us know those passwords
Hi Dave,
Thanks for your reaction! For us it's more a compliance question. I
wonder if implementing LDAP really make things better on the HMC, but
there are some interesting points like security awareness and external
security done by the correct department, etc. Maybe it's also a good
point
...@53.com
1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G
p 616.653.8429
f 616.653.8497
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Corjan Nota
Sent: Tuesday, April 07, 2009 3:46 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: HMC and LDAP
I am somewhat aware of how MS LDAP works, and am horrified. A key issue to me
is that, by default, any user may display most all information about any other
in a given 'container'.
Even if that is not true, our shop still considers the risks of exposing the
'family jewels' (the SE/HMC LAN
We are thinking to authenticate operators on our company wide LDAP
Server residing on AIX behind a VPN with SSL/TLS. Not my preferred
platform, but I can live with it for now and we'll see how things are
going. Security management defines all operator userids on the HMC and
in the Active Directory
Kind of a chicken and egg. How can you IPL if your LDAP server is not
responding? Remember, as is, the MF can shrug off any LAN issues. You have the
power to put the operation of the MF at the mercy of the company LAN.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm
To: IBM-MAIN@bama.ua.edu
Subject: Re: HMC and LDAP
Kind of a chicken and egg. How can you IPL if your LDAP server is not
responding? Remember, as is, the MF can shrug off any LAN issues. You
have the power to put the operation of the MF at the mercy of the
company LAN.
-Original Message
Hello list,
With HMC 2.9.2 it's possible to protect operator logon to the HMC with
LDAP. Is anybody already using this functionality? If so, I' m very
interested in how it is setup. We are using now a standalone HMC not
connected to the LAN. Operators logon with the standard IBM passwords
to our security standards(format, changes,
etc).
The problem with setup is that the documentation is not clear on how to
set it up. We select:
Locate by using the following name pattern
uid={0},ou=accounts,ou=b2e,dc=yourinfo,dc=yourinfo
you will have to work with your ldap folks, and come up
We got what we needed (which is not a lot) by adding SGLDEXEC to our
SYSPROC concatenation and using exec LDAPSRCH under ordinary TSO
Thanks to all for hints
**
This email is confidential and may contain copyright material of
Here is a simple rexx program using the GLDSRCH command. This of course
assumes that the RACFID is part of the LDAP structure you wish to query.
/* Rexx
Hello,
I have LDAP running on z/os 1.9. It has both secure and non-secure interfaces.
The following shows the jcl that I use as a client to the LDAP which is talking
to RACF
//LDAPSRCH EXEC PGM=IKJEFT01,DYNAMNBR=50,REGION=2048K
//ENVVARDD DSN=SYS1.MVSZ.LDAPARMS(LDAPCENV
Andy
When you don't know where to start, a good place to start by default is the
IBM redbooks. Enter LDAP as a search word on
http://www.redbooks.ibm.com/
and see what takes your fancy. Understanding LDAP - Design and
Implementation jumps out but there are plenty of other hits - an amazing
Hi Andy,
there are C and Java based samples on the web, which can be used to create a
Module or Java class that runs on z/OS and connects to LDAP on other plattform.
No LDAP Server on z/OS and RACF is required for this, because you simply have
LDAP client code running on z/OS.
You can
Hello Andy,
z/OS comes with an LDAP client which is of course hidden in the unix system
services :-)
If you enter the command 'ldapsearch from the shell without parameters it
gives you some syntax synopsis ... probably the last lines are the most
important ones:
Refer to IBM Tivoli
We have some LDAP servers running under Lotus Notes on AIX boxes and we
want to check/validate some data held on z/OS against them. The validation
process must run on z/OS.
I've no real experience of using LDAP.
I'm aware that z/OS can run a LDAP server but that is not quite what we
want
On Wed, 15 Oct 2008 07:42:22 -0500, Chris Mason wrote:
When you don't know where to start, a good place to start by default is the
IBM redbooks. Enter LDAP as a search word on
http://www.redbooks.ibm.com/
and see what takes your fancy. Understanding LDAP - Design and
Implementation jumps out
Rob Schramm asks:
I haven't looked this up... but is the license for the IBM Metal C mor=
e
attractive to the customers that may have balked at the IBM C/C++
compiler?
Since the topic is COBOL calling COBOL to invoke a Java method,
C and C++ are not needed and are irrelevant to the question.
It
Ok Tom, then let me rephrase as a topic drift.
Does anyone know if the license for the IBM Metal C is more attractive to
the customers that may have balked at the IBM C/C++ compiler?
-Rob Schramm
--
For IBM-MAIN subscribe /
Rob Schramm wrote:
Does anyone know if the license for the IBM Metal C is more attractive to
the customers that may have balked at the IBM C/C++ compiler?
AFAIK, METAL is an option not a compiler.
--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los
AFAIK, METAL is an option not a compiler
That is correct.
Bob Shannon
Rocket Software
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Huh.. well.. I guess I am off to the manual/announcements. I was under
the impression that it was separately ordered... not just a part of the
existing C/C++ offering. I must have been engaging in wishful thinking.
-Rob Schramm
Sirius Computer Solutions
AFAIK, METAL is an option not a
Tim,
I haven't looked this up... but is the license for the IBM Metal C more
attractive to the customers that may have balked at the IBM C/C++
compiler?
-Rob Schramm
And to answer the other half of Magen Nargalit's question:
If a c/c++ connector s required and I don't have c/c++ compiler
for
Rob Schramm asks:
I haven't looked this up... but is the license for the IBM Metal C more
attractive to the customers that may have balked at the IBM C/C++
compiler?
Metal C is both a new compiler option and a runtime library found in the
base z/OS. You still have to license the IBM C/C++
And to answer the other half of Magen Nargalit's question:
If a c/c++ connector s required and I don't have c/c++ compiler
for z/os can I compile on another platform and port the
object / Module to z/os environment?
Yes, of course. You do not need the IBM C/C++ compiler installed in your
ldap server from a cobol program
is there any other way for doing it?
and last question.
If a c/c++ connector s required and I don't have c/c++ compiler
for z/os can I compile on another platform and port the
object / Module to z/os environment?
Any help would be appreciated.
Thanks
Magen
call a java program?
Do you still need to ceate a c/c++ connector ?
I saw that oo cobol can call directly to java, can
a structured cobol call to an oo cobol which calls java?
I want to query z/os ldap server from a cobol program
is there any other way for doing it?
and last question
Are there any good examples of calling the LDAP search module (GLDSRCH)
from a COBOL program?
Bryan Klimek
Mayo Clinic
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED
1.15 Calling the LDAP APIs from other languages
In order for a COBOL application to call the C LDAP client APIs, the COBOL
application must call a C application which, in turn, invokes the LDAP
APIs. However, if the COBOL application is link-edited into a separate
load module from a C program
On 8/22/2006 1:08 PM, [EMAIL PROTECTED] wrote:
Does anyone know how to REVOKE (Suspend) or RESUME a RACF Account via
the RACF LDAP Interface? Browsing the RACF LDAP instance, I see the
attribute racfattribute that is set to REVOKED - however If I try
to set that attribute from the LDAP interface
On 8/23/2006 4:24 PM, darona wrote:
OK Walt,
Thanks for the response.
If need RESUME the user, the solution is :
add: racfattributes
racfattributes: resume
It's OK
Except on z/OS R7 or later, where you would want:
add: racfattributes
racfattributes: resume norevoke
Walt
? And then grant
rights to foreign security principals from trusted realms within RACF?
Specifically, I am thinking about Active Directory and z/OS 1.7, RACF
v2r2, with LDAP and TCP/IP in place on the mainframe side.I am trying
to assist in identifying a strategy that moves our organization
Is there a non-IBM mainframe LDAP available? Should IBM LDAP be
required to use only standard SQL thus making any relational appearing
data base usable?
We'll have to see how the z/OS 1.8 LDAP Statement of Direction evolves.
You may wish to ask your favorite IBM contact about participating
it brings up the
possibility of anti-trust considerations in terms of the other vendors
being denied access to a facility. Tied sales tend to get the
interest of both US and European regulators.
/Rant
I'd really like to do LDAP, but it requires DB2 to be useful. IBM needs
to offer a LDAP only DB2
On 18 Apr 2006 06:20:35 -0700, [EMAIL PROTECTED] (Clark Morris) wrote:
Is there any hope of the other DBMS vendors being able to license the
ability to use Z/ipp processors?
There is hope, but it is by no means a certainty. It wouldn't hurt for
interested customers to make their wishes in this
Is there any hope of the other DBMS vendors being able to license
the
ability to use Z/ipp processors?
There is hope, but it is by no means a certainty. It wouldn't hurt
for
interested customers to make their wishes in this regard known to IBM.
IBM plans to disclose the software
Good news as IBM deny any information about the zAAP for some reason.
Roland
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Craddock, Chris
Sent: Tuesday, April 18, 2006 11:34 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: LDAP and DBMS
Schiradin,Roland HG-Dir itb-db/dc wrote:
Good news as IBM deny any information about the zAAP for some reason.
Because zAAPs can run good ol' unprivileged TCB mode code. zIIPs can run
only enclave SRBs.
--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
This is a code issue. I'm trying
to do something, and its not working, and I need some help from someone
who knows LDAP in z/OS 1.6. Here is a statement of my problem. By
the way, I am cloning an existing system, one that I wrote, to come up
with a similar system to achieve a similar result
Semi-LDAP rookie here(z/OS 1.4). Don't you have to say which objectclasses you
need any time you're adding a new record.
Does it work if you include the
objectclass=top
objectclass=OnCallNotes
lines in your LDIF file when adding the NoteNumber=6 record?
-Original Message
Glen.Gasior wrote:
[EMAIL PROTECTED] wrote:
Hi ,
you may check out this LDAP browser - easy to use.
http://www-unix.mcs.anl.gov/~gawor/ldap/
regards,
PMailand
*
Thank you.
*
Continuing with the first part of the question.
*
There is an LDAP server on z/OS 1.6, how can I determine the
suffix
72 matches
Mail list logo