New V5R3 enhancements

If you are currently using HTTP server or have used it in the past, you may have created validation lists to store internet users and their passwords. As you move to WebSphere Application Server, Portal Server, and other applications that support LDAP authentication, you may want to continue using these existing internet users and their passwords.

This can be done using the new Copy Validation List to LDAP (QGLDCPYVL) API.

These new functions are those provided in versions 4.2 and 5.1 of the IBM Directory Server already available on other platforms. The enhancements focus on the introduction of the new WebAdmin tool, improving performance, usability of managing groups, and search results.

If you are installing V5R3 and were using Directory Server on a previous release, then review the migration considerations.

The following enhancements were made to the IBM Directory Server on IBM i in V5R3 in June 2004:

• Administration and user accessibility: The new IBM Directory Server Web Administration Tool replaces the IBM Directory Management Tool. The Web administration tool includes the functionality to administer the user entries, the directory server processes, and the directory tree from one common Web interface. LDAP protocol is now used to query and update the configuration options of the Directory Server.
• Dynamic groups: Groups can now be defined using a search expression. When an attribute is added to a directory entry, the entry automatically becomes a member of the group.
• Nested groups: Nesting enables the creation of hierarchical relationships to define inherited group membership. A nested group is defined as a child group entry whose distinguished name (DN) is an attribute contained within a parent group entry. A new attribute explicitly distinguishes nested groups from ordinary members. The members of a group may also be queried.
• Password policy: The directory server now supports a password policy that includes password syntax rules, password history, and disabling entries after too many attempts to use incorrect passwords.
• Filter-based access controls: Authority to entries can now be specified using filter-based access control. For example, you can specify permissions to entries with departmentNumber=abc or grant access to specific types of entries.
• Replication: Replication improvements include the ability to have multiple master servers (peer servers), replication of subtrees, improved scheduling and control of replication, improved monitoring, and more robust replication function.
• Command line utilities The following command line utilities are new:
  • ldapexop - provides the capability to bind to a directory and issue a single extended operation along with any data that makes up the extended operation value.
  • ldapdiff - synchronizes a replica server with its master.
  • ldapchangepwd - sends modify password requests to an LDAP server.
• Sorted search: The sorted search control allows a client to receive search results sorted based on a list of criteria where each criteria represents a sort key. This moves the responsibility of sorting from the client application to the server where it might be done more efficiently. The ldapsearch command has been enhanced with new parameters to allow the search results to be sorted. There are also new LDAP APIs for sorting search results.
• Paged search: The paged results control allows you to manage the amount of data returned from a search request. You can request a subset of entries (a page) instead of receiving all the results at once. Subsequent search requests display the next page of results until the operation is canceled or the last result is returned.
• The ldapsearch command has been enhanced with new parameters to allow the search results to be paged. There are also new LDAP APIs for paging search results.
• Performance: Performance is improved for all operations. In addition, all operations are now allowed to be performed simultaneously by multiple clients.
• Special characters in distinguished names (DN): A DN may now contain the following special characters: commas, equals, plus, less than, greater than, pound, semicolon, backslash, and quotation marks.
• Matching rules for string attributes: If an attribute is defined with one of the two string syntaxes, Directory String or IA5 String, the server will now honor the matching behavior specified in the schema for the attribute, correcting an error in previous releases. You can define an attribute to be case sensitive or to ignore case when matching. Previously the server allowed a matching rule to be defined, but ignored it. Internally the server treated IA5 String as case sensitive, and Directory String as case insensitive. If your server had defined attributes as IA5 String with caseIgnoreMatch, or DirectoryString with caseExactMatch, the server will now behave correctly for those attributes.

A new PTF, SI16586, provides an API to copy a validation list to your LDAP server

Learn more

• IBM Directory Server
• IBM i Online Library
• IBM i Information Center
• IBM Redbooks
• PartnerWorld Education
• IBM i Support