Skip to main content

 
IBM Power Systems software  >  IBM i  > Software  > 

System i LDAP

  
Overview Publications Business Partner Info
Introduction   |   Getting started    |   Questions and answers
Overview Information
  1. What is LDAP?
  2. How do I get LDAP on my system and what does it cost?
  3. Where do I find technical information on IBM Directory Server (LDAP)?
  4. What are the V5R1 changes to IBM Directory Server (LDAP)?
  5. What are the V5R2 changes to IBM Directory Server (LDAP)?
  6. What are the post-V5R2 enhancements made to IBM Directory Server (LDAP)?
  7. What are the V5R3 changes to IBM Directory Server (LDAP)?
 
Installation and Configuration
  1. How do I install an LDAP server on my system?
  2. How do I change my LDAP server configuration?
  3. How do I configure my LDAP server to run with AFS Tomcat server?
 
Security
  1. How is LDAP secured?
  2. What is an Access Control List (ACL)?
 
Publishing
  1. How do I publish System Distribution Directory users to LDAP?
  2. Checklist for ensuring you have publishing set up correctly for users
  3. How do I publish i5/OS information to LDAP?
 
 
Overview information answers

  1.   What is LDAP?

    LDAP stands for 'Lightweight Directory Access Protocol'. In 1988, the CCITT (Consultative Committee on International Telephony and Telegraphy), created the X.500 standard, which became ISO 9594, Data Communications Network Directory, Recommendations X.500-X.521 in 1990, though it is still commonly referred to as X.500. X.500 organizes directory entries in a hierarchical name space capable of supporting large amounts of information and specifies that communication between the directory client and the directory server uses the directory access protocol (DAP). However, as an application layer protocol, the DAP requires the entire OSI protocol stack to operate. Supporting the OSI protocol stack requires more resources than available in many small environments.

    Therefore, an interface to an X.500 directory server using a less resource-intensive or lightweight protocol was desired. LDAP was developed at the University of Michigan as a lightweight alternative to DAP (thus the name LDAP). LDAP requires the lighter weight and more popular TCP/IP protocol stack rather than the OSI protocol stack. LDAP also simplifies some X.500 operations and omits some esoteric features.

    LDAP defines a communication protocol. That is, it defines the transport and format of messages used by a client to access data in an X.500-like directory. LDAP does not define the directory service itself. However, when referring to a directory that can be accessed using LDAP, the directory is usually called an LDAP directory. Therefore, LDAP directories can be implemented in many different ways. IBM implements cross platform LDAP directories using DB2 and Lotus Domino.

    See  Getting started for more information on LDAP. Also see  Is LDAP your Directory Solution? For COMMON presentations on LDAP for an overview of the function, see  Presentations

  2.   How do I get LDAP on my system and what does it cost?

    Since V4R3, LDAP has been included free in i5/OS as part of Directory Services for i5/OS (option 32). Starting with V5R1, Directory Services is automatically included in the base operating system and option 32 is no longer needed. Directory Services includes an LDAP server and complete set of LDAP clients and utilities.

    The LDAP server uses DB2/400 for storing the directory information and is configured using System i Navigator.

    The i5/OS LDAP client supports accessing any LDAP server from all i5/OS ILE programming languages; C, COBOL and RPG. The IBM Directory Server Client SDK for Windows is shipped with i5/OS in the Integrated File System directory /QIBM/UserData/OS400/dirsrv/UserTools/Windows, file setup.exe. To install the client SDK, follow these steps:

    • In System i Navigator, expand File Systems
    • Expand File Shares
    • Double-click Qdirsrv
    • Double-click UserTools
    • Double-click Windows
    • Double-click setup.exe to start installing the client SDK
    • Follow the on-screen instructions to complete the installation

    Command line utilities are provided for accessing an LDAP server from Windows and i5/OS. These utilities are compatible with LDAP utilities provided for other operating systems and allow you to search, add, modify and delete directory information.

  3.   Where do I find technical information on Directory Services (LDAP)?

    The technical articles for Directory Services (LDAP) is found at Information Center. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'.

  4.   What are the V5R1 changes to IBM Directory Server (LDAP)?

    See What's new for V5R1.

  5.   What are the V5R2 changes to IBM Directory Server (LDAP)?

    See New V5R2 Enhancements.

  6.   What are the post-V5R2 enhancements to IBM Directory Server (LDAP)?

    See New V5R2 Enhancements.

  7.   What are the V5R3 changes to IBM Directory Server (LDAP)?

    See New V5R3 Enhancements.

Back to top
Installation and Configuration answers

  1.   How do I install an LDAP server on my system?

    See Configuring and Administering your LDAP server for information on installing an LDAP server on your system.

    The Information Center has detailed articles on installing an LDAP server. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Getting Started with Directory Services'. Expand 'Installing and Configuring Directory Services'.

  2.   How do I change my LDAP server configuration?

    See Configuring and Administering your LDAP server for information on changing your LDAP server configuration.

    The Information Center has detailed articles on configuring your LDAP server. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Getting Started with Directory Services'. Expand 'Installing and Configuring Directory Services'.

  3.   How do I configure my LDAP server to run with AFS Tomcat server?
    Run the HTTP Server Wizard
    1. On an System i server running i5/OS V5R3M0, start the HTTP ADMIN instance by entering STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).
    2. In a web browser, open URL http://hostname:2001 where hostname is the TCP/IP host name of the System i server.
    3. Select the IBM Web Administration for System i link on the System i Tasks page.
    4. Select the Setup tab on the top of the page.
    5. Select Create HTTP Server in the left-hand navigation frame.
    6. Enter IDSWEBAPP for the server name and HTTP server for IBM Directory Server Web Administration for the server description. Then press Next.
    7. Make sure the server root is set to /www/idswebapp and press Next.
    8. Make sure the document root is set to /www/idswebapp/htdocs and press Next.
    9. Make sure the IP address is set to All IP addresses. Set the port to 8080 and press Next.
    10. Make sure the new server will use an access log and press Next.
    11. Make sure the server will delete log files based on age after 7 days and press Next.
    12. Press Finish to create the HTTP server.

    Configure AFS Tomcat Settings
    1. Select AFS Tomcat Settings in the left-hand navigation frame.
    2. Select to enable servlets.
    3. Make sure an "in-process" servlet engine is enabled and the Java version is 1.3.
    4. Press OK.
    5. Use PKZIP to extract xerces.jar from IDSWebApp.war.
    6. Use ftp in binary mode to put IDSWebApp.war into /www/idswebapp/webaps and xerces.jar into /www/idswebapp/java/lib.
    7. Select AFS Tomcat Settings in the left-hand navigation frame again.
    8. Add the URL (mount point) /IDSWebApp/*.
    9. Add a Java classpath entry /www/idswebapp/java/lib/xerces.jar and position it directly before /QIBM/ProdData/HTTPA/java/lib/parser.jar.
    10. Add an application context with a URL path /IDSWebApp and application base directory webapps/idswebapp. Select it to be not reloadable.
    11. Press OK.

    Verify HTTP Server is Working Properly
    1. On the System i, start the IDSWEBAPP instance of the HTTP server by entering STRTCPSVR SERVER(*HTTP) HTTPSVR(IDSWEBAPP).
    2. In a web browser, open URL http://hostname:8080/IDSWebApp/IDSjsp/Login.jsp where hostname is the TCP/IP host name of the System i server.
Back to top
Security answers

  1.   How is LDAP secured?

    To make communications with your LDAP directory server more secure, Directory Services can use Secure Sockets Layer (SSL) security. You can use SSL to communicate with LDAP clients, as well as with replica LDAP servers. SSL is the standard for Internet security. To use SSL, you must have Digital Certificate Manager (DCM), option 34 of i5/OS, installed on your system. DCM provides an interface for you to create and manage digital certificates and key ring files.

    See Information Center for information on SSL. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Directory Services concepts and reference information' and then expand 'Managing ownership and access of directory data'.

  2.   What is an Access Control List (ACL)?

    An Access Control List (ACL) allows you to manage who can access directory information in your network directory. In many cases, you probably would not want to restrict access to data on your LDAP directory server. For example, an LDAP server on your company Intranet might contain a telephone directory of company employees. You would probably want all employees to be able to view the data in this directory. Imagine, however, that the president of your company does not want all employees to be able to access her telephone number. In that case, you could create an access control list (ACL). With this ACL, you could restrict access to her server entry to only those employees the president wanted to receive calls from.

    See Configuring and Administering your LDAP server for information on ACLs.

    The Information Center has detailed articles on ACLs. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Administering the LDAP directory server' and then expand 'Managing ownership and access of directory data'. You can also find ACL information when you expand 'Directory Services concepts and reference information' and then expand 'Managing ownership and access of directory data'.

Back to top
Publishing answers

  1.   How do I publish System Distribution Directory users to LDAP?

    In V4R3 and later, you can now publish users from the system distribution directory to an LDAP server and keep the LDAP directory synchronized with changes made in the system distribution directory. You can then use the information that you publish in LDAP from applications like the Netscape Messenger Mailbox using the 'Search directory' function or from other LDAP applications that access address book information.

    See Publishing System i System Distribution Directory to LDAP for an article published in System i Magazine on how to publish users to LDAP.

    For more information, see Information Center - in 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Administering the LDAP directory server', 'Moving LDAP directory data between systems' and then 'Publishing user information to the directory server'.

  2.   Checklist for ensuring you have publishing set up correctly for users

    See How do I publish System Distribution Directory users to LDAP?.

    Also you can do the following to verify you have everything set up correctly.

    1. Is TCP/IP configured on your system? From the command line, enter CHGTCPDMN and press F4. Ensure the host and domain name are set. From the command line, enter CHGSMTPA and press F4. Verify the user ID delimiter and press the 'Enter' key. If the ldap server is on i5/OS, can you ping the system? If not, you may not have your domain name server or your host table set up correctly. If you have a long TCP/IP name in your host table (CFGTCP option 10) you may want to try the short name.
    2. Do you have an ldap server configured? Publishing can be done to an ldap server on an i5/OS or to other IBM platform ldap servers. Ensure you know the administrator dn and password that you used to configure the ldap server. See Configuring and Administering your LDAP server for information on installing an LDAP server on your system.
    3. Is the ldap server active? If the ldap server is on i5/OS, you can check this by using the command WRKACTJOB SBS(QSYSWRK) and if the job QDIRSRV is listed in SELW status, then the ldap server is active and ready for requests.
    4. On your PC that you have Operations Navigator for i, can you ping the system the LDAP server is on? If not, you need to update the TCP/IP Hosts file (see Windows help for "HOSTS file").
    5. Did you configure the 'Directory Services' property of the system in Operations Navigator that you are publishing users on? If not, you need to use Operations Navigator, select the system and right click to get 'properties'. Select the 'Directory Services' tab. For V4R4 and later, select 'Users' and then press 'Configure' button. Fill in the information. Ensure the name of the server is an IP name and not the hardcoded IP address.
    6. Did you press the 'Verify' button on the 'Directory Services' property page and did you input the ldap administrator dn and password or another user that you have given administrator authorization to? For example, the default ldap administrator dn is 'cn=administrator'. The administrator dn was specified when you set up your ldap server. Did you get a successful confirmation back from the 'Verify' button? This does two things for you - one, it verifies that the dn and password that you input is valid; and two, it creates an entry on the ldap server for the publishing of users if it does not exist (if you responded 'Yes' to the question 'Directory path does not exist. Would you like to create it?').

    7. If you get the error 'xxx could not be created. Enter a different path or create the path manually in your directory' this indicates either the suffix does not exist on the server or directory data for the parent dn does not exist.

      If you are not publishing directly to one of the suffixes you specified on the ldap server, does your ldap server have directory data for the suffix that you want to publish to? For example, if you set up a suffix of 'o=DeltaCorp,c=US', but you want to publish to 'cn=users,o=DeltaCorp,c=US', do you have the directory data for the 'o=DeltaCorp,c=US' suffix on the server (also called the parent dn)? To create the parent dn data, you can specify the suffix data (ie o=DeltaCorp,c=US) and press the 'Verify' button. This will create the parent dn. You can then specify the directory path below this parent dn (ie cn=users,o=DeltaCorp,c=US) and press the 'Verify' button again.

    8. When attempting to publish to the LDAP server and you are getting GLD0301 message with return code 53, you probably have the property value for the Directory Services server 'Allow directory updates' unchecked. From Operations Navigator, Directory Services properties on the 'General' page, ensure the box for 'Allow directory updates' is checked.

    9. For V4R3: Did you call the QGLDSSDD api correctly? The correct call is "CALL PGM(QDIRSRV/QGLDSSDD) PARM(*ALL 'LDAPuserid' 'LDAPpassword' 'SSLkeyring' 'SSLpassword' 0)" for the first call and "CALL PGM(QDIRSRV/QGLDSSDD) PARM(*CHG 'LDAPuserid' 'LDAPpassword' 'SSLkeyring' 'SSLpassword' 0)" for any changes from the SDD to be applied. The 'LDAPuserid' should be the same dn that you input in the 'Verify' step above because that user and password has been verified. If you do not have SSL, specify '0' for those parameters. Also, ensure you specify single quotes as the example shows.

      So for example, "CALL PGM(QDIRSRV/QGLDSSDD) PARM(*ALL 'cn=administrator' 'secretpassword' 0 0 0)" is a valid call if you do not need SSL.

      In V4R4 and later, the call to the QGLDSSDD api is done automatically when you configure publishing for users.

    10. If you are not successful in publishing users, check errors from the ldap server. If the ldap server is on i5/OS, you can do this using WRKACTJOB SBS(QSYSWRK) and specify option 5 for the QDIRSRV job listed.

  3.   How do I publish i5/OS information to LDAP?

    You can configure your system to publish certain i5/OS information into an LDAP directory server on the same i5/OS or on a different i5/OS. This information will then automatically be published to the LDAP directory server when this information is changed on the i5/OS system.

    In V4R4 and later, you can publish information about computers on your network. Additionally, you can incorporate publishing to the LDAP directory server into your own programs to publish other types of information.

    See Information Center for information on publishing. In 'Information Center' specify the release and language you want, expand 'Networking', then select 'Directory Services (LDAP)'. Expand 'Administering the LDAP directory server' and then expand 'Moving LDAP directory data between systems'. This information will be available at V4R4 GA.

Back to top


 
We're here to help

Easy ways to get the answers you need

How to buy

or call us at
1-866-883-8901


Quick links

IBM Directory Server

System i Online Library

System i and i5/OS Information Center

IBM Redbooks

PartnerWorld Education

System i Support