New V5R2 Enhancements

You can publish users from the system distribution directory to an LDAP server and keep the LDAP directory synchronized with changes made in the system distribution directory. You can then use the information that you publish in LDAP from applications like the Netscape Messenger Mailbox using the 'Search directory' function or from other LDAP applications that access address book information.

The complete article with graphics can be found in the July 1999 issue of 'System i Magazine'.

Changes made in LDAP are not published back to the system distribution directory. The types of users that are published from the system distribution directory are local users and remote users with a SMTP address. Shadowed users and remote users that do not have a SMTP address are not published. Publishing is done to one LDAP server and one directory path.

LDAP uses the distinguished name (DN) as the unique name for an entry. For the system distribution directory directory entries in LDAP, the DN is the common name (cn) combined with the directory path that is configured. i5/OS supports LDAP version 2 in V4R3 and V4R4. This means that NLS characters are not supported. The LDAP version 2 supports the IA5 character set (characters A-Z, 0-9 and some special characters). In V4R5 and later, LDAP version 3 is supported which supports all NLS characters.

The system distribution directory entry is exported to the LDAP directory by using the inetOrgPerson object class (and the ePerson object class in V4R4). The following table describes the mapping of system distribution directory fields to attributes of the inetOrgPerson and ePerson object class.

The common name will use the following formats:

• 'First name' 'Middle Name' 'Last name'
• 'Preferred name' 'Last name'
• 'Full name'
• 'UserID'

So for example, a user with the first name of 'Jonathan', preferred name of 'John', middle name of 'T.', last name of 'Smith' and user ID of 'JSMITH' would have the common names

• cn=Jonathan T. Smith
• cn=John Smith
• cn=Smith, Jonathan T. (John)
• cn=JSMITH

The distinguished name is the first common name (cn) combined with the directory path. So for example, if the directory path is 'ou=chicago, o=acme, c=us', the distinguished name (dn) for this user would be 'cn=Jonathan T. Smith,ou=chicago, o=acme, c=us'.

If you have two users in the system distribution directory that will resolve to the same dn, they will overlay each other in the LDAP server. Sometimes overlaying names is what you want if you are merging multiple i5/OS SDDs into one LDAP server. If you have different users with the same name, ensure they have different distinguished names to prevent overlaying each other.

There are some differences in how you set up and administer publishing of system distribution directory users to LDAP in V4R3 and V4R4 or later. In V4R3, it involves a manual call to an API, whereas in V4R4 or later, this is automatic.

Step 1) Ensure TCP/IP is configured on your System i. Type in CHGTCPDMN from the command line, press F4, and ensure the host and domain name is set.

Step 2) Ensure SMTP information is configured. Type in CHGSMTPA from the command line, press F4, and verify the user id delimiter. You must press Enter as this sets the SMTP default information that may be needed for publishing the mail information to LDAP if the user does not have SMTP information in their system distribution directory entry.

Step 3) From System i Operations Navigator, from the initial display of systems, select the system you want to configure, and right click on the system name and select 'Properties'. Then select the 'Directory Services' page.

For V4R3, you will need to enter the LDAP server, directory path, port number and optionally SSL information from the 'Directory Services' dialog. Also ensure you press on the ' Verify' button to verify that the directory path that you specified exists on the LDAP server. If it does not exist, you will get prompted to create the path. If you do not create the path, publishing will not be successful!

For V4R4 or later, select ' Users' from the list that is displayed and then configure your information. Ensure the distinguished name specified under 'Server connection' has sufficient authority to add, change, and remove entries in the LDAP directory. Also ensure you press on the ' Verify' button to verify that the directory path that you specified exists on the LDAP server. If it does not exist, you will get prompted to create the path. If you do not create the path, publishing will not be successful!

Step 4) For V4R4 or later, publishing users is automatically done, so your setup and administration is now complete. For V4R3, you need to do the following:

Call the Synchronize System Distribution Directory to LDAP API with the *ALL option value.

From the command line, type:

CALL PGM(QDIRSRV/QGLDSSDD) PARM(*ALL 'LDAPuserID' 'LDAPpassword' 'SSLkeyring' 'SSLpassword' 0)

The LDAP user ID must have sufficient authority to add, change, and remove entries in the LDAP directory. If SSL is not configured for the directory server, specify 0 for the SSLkeyring and SSLpassword.

For example, if your LDAP user ID is 'cn=Administrator' and the password is 'xyz' and SSL is not needed, you would do the following:

CALL PGM(QDIRSRV/QGLDSSDD) PARM(*ALL 'cn=Administrator' 'xyz' 0 0 0)

Periodically call QGLDSSDD to synchronize the LDAP directory with the system distribution directory with the *CHG option. The command to synchronize the LDAP directory is:

CALL PGM(QDIRSRV/QGLDSSDD) PARM(*CHG 'LDAPuserID' LDAPpassword' 'SSLkeyring' 'SSLpassword' 0)

The CL program can be run from a job schedule entry to automatically run with scheduled frequency. Use the Add Job Schedule Entry (ADDJOBSCDE) command or the Work with Job Schedule Entries (WRKJOBSCDE) command to automatically schedule jobs. When you go to V4R4, this will no longer be needed as publishing of users is done automatically.

You can publish system distribution directory users to an LDAP server that is not on an System i or iSeries. The LDAP server needs to have the inetOrgPerson, Publisher, and ePerson (V4R4 only) object classes defined in the schema file on that server. These object classes are used in LDAP to store the system distribution directory information. Documentation on the inetOrgPerson and Publisher object classes can be found in the Information Center and information on ePerson can be found in the IBM Directory Server (formerly IBM SecureWay Directory). You can also find the object classes in the LDAP schema files on the System i in the directory /QIBM/ProdData/OS400/DirSrv and the files:

• UsrOC.txt for inetOrgPerson (V4R3 & V4R4) and publisher (V4R3)
• IBMOC.txt for publisher (V4R4) and ePerson (V4R4)

In V4R4, you can prevent specific users from being published. Some entries are prevented automatically from being published to LDAP. They are the *ANY system distribution directory entries and some other IBM-supplied entries starting with Q (QSECOFR, QDOC, QSYS,

QDFTOWN, QUSER for example). A specific user can be prevented from being published to LDAP by doing the following:

1) Add the user-defined field QREPL QLDAP to the system distribution directory. This only needs to be done once per system. Enter the command

CHGSYSDIRA USRDFNFLD((QREPL QLDAP *ADD *DATA 4))

2) Specify *NO as the value for the QREPL QLDAP user-defined field for those users that you do not want to replicate to LDAP. Any other value or absence of the QREPL QLDAP user-defined field will replicate the user.

It is recommended that you either leave the QREPL QLDAP value blank or specify *YES if you want the user to be replicated. For example, using Work with Directory Entries (WRKDIRE), option 1 to add a user or option 2 to change a user, press the F20 key to specify user-defined fields. When using the ADDDIRE or CHGDIRE commands, specify USRDFNFLD((QREPL QLDAP *NO)) parameter to prevent the user from being replicated. If the user is already replicated to LDAP and *NO is specified in the QREPL QLDAP user-defined field, the user will be deleted from the LDAP directory. Likewise, if the value of the QREPL QLDAP user-defined field is changed to anything but *NO, the user will be added to the LDAP directory.

LDAP documentation - in 'Information Center' specify the language you want, expand 'Networking', then select 'Directory Services (LDAP)'. For information on publishing user information, expand 'Administering the LDAP directory server', 'Moving LDAP directory data between systems' and then 'Publishing System i user information to the directory server'.

V4R3 ldap publishing documenation
V4R4 ldap publishing documenation

QGLDSSDD API - in 'Online Library' specify the language you want, select the release, search all books and input 'System API Reference', select 'Part 2. Application Programming Interfaces (APIs)', 'i5/OS Directory Services APIs', and then 'Synchronize System Distribution Directory to LDAP (QGLDSSDD) API'.

V4R3 QGLDSSDD api documenation
V4R4 QGLDSSDD api documenation

You now have the method for publishing System i system distribution directory entries to LDAP and keeping changes that you make to a system distribution directory user synchronized with the LDAP directory you publish to. We hope this will help you in becoming more integrated with other LDAP servers and applications that use LDAP.