This section discusses the processing of commands and events by the driver and the preconfigured starter set of policies and filters. For information about customizing this processing, see Section 3.0, Customizing the Driver. Topics include
The Subscriber channel processes XDS commands for users and groups subject to the limitations of RACF. The Subscriber channel constructs RACF commands using the values of z/OS RACF schema attributes in the XDS documents that it receives. Some values or combinations of values are invalid, not meaningful, or subject to other RACF restrictions.
The Publisher channel generates XDS event documents based on values specified on RACF commands. Certain RACF command parameters and values, or combinations of parameters and values can cause side effects that are not reflected in the events that are generated. Other RACF processing, such as a user being revoked because of an excessive number of invalid password attempts, does not cause an event. Changes made directly to the RACF database, such as those made using ICHEINTY, do not generate events.
For more details about driver processing for z/OS RACF schema attributes, see Section A.2, RACF Command Parameter Mapping. For details about the handling of certain special cases, see Section A.3, Driver Processing of Attributes and Commands.
The following tables summarize the preconfigured sample policies and filter.
Class User in eDirectory corresponds to class User in z/OS RACF.
Table 1-1 Preconfigured Mapping Policy - Class User
Class Group in eDirectory corresponds to class Group in z/OS RACF.
Classes and their attributes can be synchronized or ignored by each channel. The flow of data is specified during installation, and can be changed later using iManager. The preconfigured filter contains the attributes shown in the following list.
Class User
CN
Group Membership
Login Disabled
Login Expiration Time
Password Expiration Interval
nspmDistributionPassword
DirXML-SPEntitlements
Class Group
CN
Table 1-3 Preconfigured Sample Policies - Subscriber Channel
Table 1-4 Preconfigured Sample Policies - Publisher Channel
This section describes how certain attributes of User and Group objects are processed by the preconfigured sample policies for add and modify commands and events. All other schema attributes are passed unchanged if allowed by the filters.
The CN attribute of an eDirectory User object is mapped by the Schema Mapping policy with the DirXML-RACF-userid attribute of a RACF User object.
The CN attribute of an eDirectory Group object is mapped by the Schema Mapping policy with the DirXML-RACF-group attribute of a RACF Group object.
The CN attribute value for an add event is converted to lowercase by the sample Input policy.
Surname is a mandatory attribute for an eDirectory User object.
The Subscriber channel does not use the Surname attribute.
The sample Publisher Create policy inserts the Surname attribute for an add event, using the value of the CN attribute.
Logon Disabled and DirXML-RACF-revoked, if set to true, prevent the user from accessing the system.
The Login Disabled attribute of an eDirectory User object is mapped by the Schema Mapping policy with the DirXML-RACF-revoked attribute of a RACF User object.
For details about the interaction of RACF REVOKE and RESUME dates for a user, see your RACF documentation.
Login Expiration Time specifies a date and time after which an eDirectory user cannot log in.
DirXML-RACF-revokedate specifies a starting date for when a RACF user cannot enter the system. For details about the interaction of RACF REVOKE and RESUME dates for a user, see your RACF documentation.
The Login Expiration Time attribute of an eDirectory User object is mapped by the Schema Mapping policy with the DirXML-RACF-revokedate attribute of a RACF User object.
If a value for the Login Expiration Time attribute is present in an add or modify command for a User object, the sample Output policy converts the value from eDirectory Time format to the mm/dd/yy format used by RACF.
If a value for the RACF-revokedate attribute is present in an add or modify event for a User object, the sample Input policy converts the value from the mm/dd/yy format used by RACF to eDirectory Time format.
Password Expiration Interval and DirXML-RACF-password-interval specify how long a password remains valid.
The Password Expiration Interval attribute of an eDirectory User object is mapped by the Schema Mapping policy with the DirXML-RACF-password-interval attribute of a RACF User object.
The eDirectory Password Expiration Interval value is in seconds. The DirXML-RACF-password-interval value is in days, and must be between 1 and 254 inclusive.
If a value for the DirXML-RACF-password-interval attribute is present in an add or modify command for a User object, the sample Output policy converts the value from number of seconds to number of days. If the number of days is less than 1, the value is set to 1. If the number of days is greater than 254, the value is set to 254.
Note that the value actually used by RACF is affected by the value, if any, specified using the INTERVAL operand of the SETROPTS command.
If a value for the DirXML-RACF-password-interval attribute is present in an add or modify event for a User object, the sample Input policy converts the value from number of days to number of seconds.
The Group Membership attribute of an eDirectory User object lists the groups the user belongs to.
The DirXML-RACF-groups attribute of a RACF User object lists the groups the user belongs to, together with related CONNECT or REMOVE command parameters.
The Group Membership attribute of an eDirectory User object is mapped by the Schema Mapping policy with the DirXML-RACF-groups attribute of a RACF User object.
An add-value to a User object's group membership is processed as a RACF CONNECT command by the Subscriber channel. A remove-value is processed as a RACF REMOVE command. The sample Output policy appends a default set of parameters for these commands to the value element. You can modify these parameters according to your own business requirements. For details, see Section 3.0, Customizing the Driver.
The value element for an add-value to a user's Group Membership constructed by the Publisher channel contains the group name followed by the parameters from the RACF CONNECT command. Similarly, the value element for a remove-value includes parameters from the RACF REMOVE command.
If a DirXML-RACF-groups attribute is present in an add or modify command for a User object, the sample Output policy adds RACF information as follows:
For an add-attr, remove-value, or add-value element, if there is no association-ref, the value is discarded.
A default set of parameters for the CONNECT (for an add-attr or add-value element) command is appended to each value element. No parameters are added for the REMOVE (for a remove-value element) command by the sample policy, but an example is provided in the comments to guide you if you choose to add your own.
If a DirXML-RACF-groups attribute is present in an add or modify event, the sample Input policy operates as follows:
The CONNECT or REMOVE command parameters are removed from the group name values.
The group name values are converted to lowercase.
The RACF DELUSER command does not perform access list or resource ownership cleanup when deleting a user. This could result in security exposures if a new user is created with the same name as a deleted user with residual references.
The RACF DELGROUP command does not clean up references to a group from such places as resource access lists, and cannot be used to delete a universal group.
IBM* recommends that you use the RACF Remove ID utility (IRRRID00) when deleting users and groups. For more information, see your Security Server RACF Security Administrators Guide.
The preconfigured sample Subscriber Event policy converts a delete command for a user into a modify command for the user, setting the Login Disabled attribute to true.
The preconfigured sample Subscriber Event policy vetoes delete commands for Group objects.
RACF does not provide a rename function.
The RACF database is not hierarchical. There is no move function.
The preconfigured sample Subscriber Event policy vetoes rename and move commands. If you change the policies so that rename or move commands reach the Subscriber channel, the Subscriber channel rejects them with an error status.
The Publisher channel does not produce rename or move events.
Identity Manager uses the nspmDistributionPassword attribute to provide passwords from eDirectory.
The Publisher channel of the driver uses password elements for add events to provide password information. The Publisher channel uses modify-password events for password changes.
You can specify configuration options to control the processing of passwords by the preconfigured sample policies.
For more about Identity Manager password synchronization, see the Identity Manager 3.6.1 Administration Guide at the Identity Manager 3.6.1 Documentation Web site.
Based on configuration options that you specify, the Subscriber Command policy controls the processing of passwords in the Subscriber channel.
You can block the subscription of passwords.
For details about configuring password processing options, see Setting Global Configuration Values.
When the password is changed in eDirectory, Identity Manager sends a modify XDS command to the Subscriber channel.
<modify class-name="User" src-dn="\DAL\users\eleu">
<association>USER\ELEU</association>
<modify-attr attr-name="nspmDistributionPassword">
<remove-all-values/>
<add-value>
<value>secret</value>
</add-value>
</modify-attr>
</modify>
The Subscriber Command policy changes this to a modify-password event.
<modify-password class-name="User" src-dn="\DAL\users\eleu">
<association>USER\ELEU</association>
<password>secret</password>
</modify-password>
The Subscriber channel converts this to an ALTUSER TSO command and issues the command through the Telnet interface.
ALTUSER ELEU NOEXPIRED PASSWORD(SECRET)
z/OS requires that passwords be one to eight alphanumeric characters. An installation can define additional password syntax rules. The ALTUSER command rejects invalid or nonconforming passwords.
When a RACF user password is changed, either during logon, by the use of the PASSWORD command, or by the ALTUSER command, the RACF Event Subsystem adds a corresponding event to the Change Log data set. The Publisher channel obtains the event and encodes it as an XDS event.
<modify-password class-name="user" src-dn="\ELEU">
<association>USER\ELEU</association>
<old-password>GUESS<old-password>
<password>SECRET<password>
</modify-password>
Based on configuration options that you specify, the Publisher Command policy controls the processing of passwords in the Publisher channel.
You can block the publication of passwords.
You can specify that passwords be published to nspmDistributionPassword.
You can specify that passwords be published to the NDS password.
For details about configuring password processing options, see Setting Global Configuration Values.
For changes to the NDS password in eDirectory, if the old-password element is present, Identity Manager uses the modifyPassword API to modify the password. If the old-password element is not present, Identity Manager uses the GenerateKeyPair API. Note that using GenerateKeyPair can invalidate authentication credentials for any existing session authenticated as the target object.
The preconfigured sample Input policy removes the old-password element from the event.
<xsl:template match="old-password"/>
You can comment this out if you prefer that the modifyPassword API be used. If the ALTUSER command is used to change the password, the old password is not available.
z/OS passwords are case-insensitive. The preconfigured sample Input policy converts passwords to lowercase. If you are using Universal Password, which is case-sensitive, you should consider the handling of passwords by z/OS in your deployment planning.
<modify-password class-name="user" src-dn="\ELEU">
<association>USER\ELEU</association>
<password>secret<password>
</modify-password>