Starting with z/VM Version 5.3, IBM delivered a lightweight directory access Protocol (LDAP) server as a component of tCP/IP. It’s based on the LDAP server provided with z/oS, IBM Tivoli Directory Server (ITDS). on z/VM 5.3, the LDAP server is equivalent to that running on z/OS Version 1.8; on z/VM 5.4, it’s based on the package running on z/OS Version 1.10.
This article discusses how to configure the LDAP server on z/VM and how to integrate it into a Linux security infrastructure. Refer to the references for additional information about LDAP itself. We’ll get right into LDAP on z/VM.
The LDAP server for z/VM has several outstanding features. It provides multiple database back-ends and allows for version 2 or 3 LDAP clients. Multiple authentication methods are available, including CRAM-MD5, Digest-MD5, and simple authentication. Secure transmissions can be handled with Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The LDAP server also supports referrals, aliases, directory access controls, and change logging. Password and password phrase verification can optionally be performed by the z/VM RACF security server.
LDAP on z/VM provides multiple “back-ends,” which is essentially a database manager, not in the traditional sense, but typically a high-performance method to access the data the LDAP server needs to store. The back-ends available are:
• Lightweight Database Manager (LDBM) is the easiest to set up and use. It stores directory information in the z/VM Byte File System (BFS) and keeps the LDAP data in memory during its operation for very fast access, writing it to disk when necessary.
• Secure Database Manager (SDBM) provides a more comprehensive interface to RACF. In addition to LDAP functionality, RACF Security server operations can actually be performed via LDAP, adding, altering, and deleting users or groups, connecting users to groups, removing users from groups, and searching the RACF database.
• The GNU Database Manager (GDBM) back-end is used for auditing changes to the LDAP server.
The LDAP server on z/VM is implemented as a virtual machine called LDAPSRV. It runs under control of the TCP/IP virtual machine, which means TCP/IP can start it. It also requires certain definitions in PROFILE TCPIP and the DTCPARMS files, both of which are delivered with the sample files. LDAPSRV uses TCP/IP port 389 for regular data transfer and port 636 for secure data transfer.
Figure 1 shows the parts of the IBM DTCPARMS file from z/VM that relate to the LDAP server. You can probably leave it intact unless you’re running multiple LDAP servers. Of special note in the file are the mount statement and External Security Manager (ESM) parameters. The mount statement puts various parts of the byte file system into directory structures for use by the LDAP server (like the mount command on Linux). The ESM_Enable tag is used to indicate that RACF is to be used with LDAP.