This section discusses additional information that can be of interest as you develop your customization plan. Topics include
Besides the z/OS RACF schema User and Group classes, which are mapped to their eDirectory counterparts, the Subscriber channel of the driver supports the Command class. You can use the Command class in your policies to issue arbitrary TSO commands.
The Subscriber channel processes XDS add commands for class Command. The text value of the type="string" value element of an add-attr element is executed as a TSO command through the Telnet interface.
You can use this facility to perform custom processing on the z/OS system for eDirectory events.
You can specify as many add-attr elements in one XDS add command as necessary.
Only one value element is processed for each add-attr element.
The text value of the value element is issued as a TSO command through the Telnet interface by the administrative user ID using the LDXISSUE command.
You can specify any TSO command, CLIST, or REXX exec as the command to be executed.
NOTE:You must modify the LDXPROC logon procedure used by the administrative user ID to provide any DD statements required by your processing.
The response from the command is returned in the status document from the driver.
The attr-name of the add-attr element is ignored.
Elements other than add-attr are ignored.
XDS commands other than add are ignored.
<add class-name="Command" event-id="1234">
<add-attr attr-name="MAKEUSER">
<value type="string">%MAKEUSER GURNEY</value>
</add-attr>
</add>
The RACF Query Processor is called by Identity Manager during migration and by other processing.
You can use the RACF Query Processor for your own purposes as required.
Queries to the RACF Query Processor for a single user are processed using the RACF LISTUSER command for that user. Queries to the RACF Query Processor for a single group are processed using the RACF LISTGRP command for that group.
Queries to the RACF Query Processor that are not limited to just a single base entry use the RACF LISTUSER * or RACF LISTGRP * command, depending on the class. These commands return information for all profiles of the class. The RACF Query Processor then returns the information requested by the query.
If you use the RACF Query Processor with a scope other than entry, you should expect the query to take a long time-possibly many hours.
The Novell Identity Manager driver for z/OS RACF includes the Java utility class DateConv. DateConv is used by the starter set sample policies for date conversion. You can use this class for your own purposes.
To use DateConv in your policies:
Add a namespace declaration as shown in the following example taken from the Input Transformation policy.
xmlns:util="http://www.novell.com/nxsl/java/com.Omnibond.nds.dirxml.util.DateConv"
Call the desired method as shown in the following example taken from the Input Transformation policy.
<xsl:value-of select="util:racfToEdirTime(.)"/>
The Login Expiration Time attribute of an eDirectory User object is mapped by the Schema Mapping policy with the RACF-revokedate attribute of a RACF User object. RACF represents dates in the mm/dd/yy format, while eDirectory uses number of seconds since the beginning of 1970.
The Java DateConv class is provided for transforms to use in converting date values between these formats.
The following sections describe the methods of DateConv.
public static String edirToRacfDate(String seconds)
Returns a date in the mm/dd/yy format used by the RACF ALTUSER command RESUME and REVOKE parameters. The input is assumed to be an eDirectory Time value, coded as a string.
seconds - String value of number of seconds since 1970-01-01 00:00 UTC
String value mm/dd/yy local time
edirToRacfDate("1068440400")
Returns the string 11/10/03.
If an exception occurs, a string of 00/00/00 is returned. This can happen if the input string cannot be converted to a number.
public static String racfToEdirTime(String mmddyy)
Returns an eDirectory Time value as a string. The input is assumed to be the date value in the format mm/dd/yy, specified for the RESUME or REVOKE parameter of a RACF ALTUSER command.
mmddyy - String value representing a date in the form mm/dd/yy
String value of number of seconds since 1970-01-01 00:00 UTC
racfToEdirTime("11/10/03")
Returns the string 1068440400.
If an exception occurs, a string of 0 is returned. If the input string cannot be parsed into three strings using a ’/’ as a separator, a string of 000 is returned.
RACF interprets the two-digit year value as being in the range 1971–2070.
eDirectory Time values appear to be limited to the integer (int) number of seconds since 1970-01-01 00:00 UTC. This overflows on 2038-01-18. Novell utilities limit Login Expiration Time to not exceed the year 2037. A RACF date beyond 2037 is set to 2037-12-31.
No explicit conversion is performed between UTC and local time. The RACF date values are local time. The result corresponds to the default time zone of the default locale.