Sidebar

Network Directory Services (LDAP)

General
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
As Rodney Dangerfield says, "I don't get no respect." So is the case for one of the most powerful and useful servers bundled with OS/400, IBM's Directory Server based on LDAP (Lightweight Directory Access Protocol) Version 3.

The iSeries LDAP server has been bundled with OS/400 since V4R3. V4R3 and V4R4 implemented LDAP Version 2; V4R5 and beyond implement Version 3. IBM steadily and quietly enhances the server and the type of information that is published to the server.

So What Is LDAP?

Since the Internet was first established in 1969 with a connection between UCLA in Los Angeles, California, and Stanford Research Institute in San Mateo, California, the need for a directory of resources--such as people, places, things, and machines--has been apparent.

You know that so-and-so uses the Internet, but you don't know his email address.

You got a phone message from someone working for your company, but you don't know who the person is, what department she's in, or who she works for.

You designed a system that requires routing remote printed output to the printer closest to a specific user, but you don't know how to find the printer.

Different organizations within your company use different email servers. It is common--especially in larger organizations--to see mixtures of technology in an organization's various operating units.

How do you locate people? How do you find their email addresses or telephone numbers?

These are just some of the problems that iSeries Directory Server (LDAP) can solve.

In the late 1980s, the International Organization for Standardization (ISO) first began to work on creating a standardized directory under the organization's Open Systems Integration (OSI) X.500 protocol. The product, Directory Access Protocol (DAP), was not viable for widespread implementation. The Internet Architecture Board and its engineering subsidiary, the Internet Engineering Task Force (IETF), picked up the challenge and produced RFC1488, The X.500 String Representation of Standard Attribute Syntaxes, in July 1993. This was the beginning of LDAP.

Today, many large public information services--such as Google.com and BigFoot.com--publish Internet directories using LDAP as the basis for their public directory systems. Microsoft, Netscape, and Lotus (Notes) incorporate LDAP into their Web and email client software, allowing users to configure their client tools to use an LDAP directory as their address book.

The iSeries LDAP server is a unique server that leverages your iSeries environment by publishing iSeries system information to your server, and there's some good information out there about how to use it. My latest book, IBM eServer iSeries--Built for e-business, published by IBM Press, describes the structure and content of an LDAP directory. An article published in the IGNITe/400 User Group newsletter entitled "OS/400 User Authentication with iSeries LDAP" provides step-by-step instructions for configuring an iSeries LDAP server. IBM has published a superb Redbook, Implementation and Practical Use of LDAP on the IBM eServer iSeries Server (SG24-6193-00), that describes in detail how to configure your LDAP server and begin publishing user and system information. In this article, I will focus on what you can do with LDAP and the information that can be implemented in a matter of minutes after configuring your LDAP server on an iSeries.

Many LDAP server implementations are available for many different platforms, and a lot of them are open-source or public domain and may be downloaded free from the Internet. Even IBM gives away its Windows, Unix, and Linux versions of its LDAP server.

The advantage of the iSeries LDAP server is the publishing utilities bundled with the product to leverage your system information instantly. Unlike other implementations, the iSeries Directory Server is ready to use within minutes.

Information About People

The iSeries Directory Server publishes information about OS/400 users from the OS/400 System Directory (WRKDIRE). "Publishing" means that information stored in your system directory is read and added to the Directory Server's database. Whenever a change is made to the system directory, the change is detected and published to the Directory Server. The quality of the information published depends on the information you have captured about users in your system directory. If you provide extensive user information--including full name, title, telephone number, etc.--this information will be automatically published to your Directory Server along with the user ID and other basic system information. The publishing job is QGLDPUBA, which runs in the QSYSWRK subsystem on your machine when both the Directory Server and the publishing jobs are configured. APIs and commands are available to update the system directory.

These publishing jobs are incredibly sophisticated. If you maintain your directory entries for your user information directly within the Directory Server, this information will not be overwritten by the publishing utility. When a new user is added to the directory, the utility detects and adds that information. If a user is removed, the Directory Server entry is removed.

LDAP Authentication

Once you start publishing your user information, you may configure your HTTP servers (original or Apache) or your WebSphere Application Server (WAS) to use your LDAP Directory Server for user authentication. This is a tremendous feature of the LDAP Directory Server. Many companies run their servers on a separate iSeries machine to isolate the HTTP servers from the production machine. To authenticate users without using LDAP, you would have to replicate your user profiles to the server machine.

With LDAP, just configure your HTTP server with LDAP-based authentication and point to the LDAP server running on your production machine. When a user is required to authenticate via HTTP basic authentication, the information will be passed securely to the LDAP server, which will authenticate your users for you. You do not have to replicate user profiles to remote machines just for authentication.

iSeries Printers

Locating a user's preferred printer and ensuring that it is available to print and that it supports the protocol you wish to use is a challenge for most shops.

The LDAP publishing utility, QGLDPUBE, will automatically publish information about all iSeries printers to the LDAP server. This utility is incredibly sophisticated. It will publish the status of the printer (Active or Inactive) and update your LDAP directory upon detecting a change in status. The publishing utility picks up local twinax as well as network printers. It locates print queues and identifies the type and capabilities of the printer.

I built a facility that allows users to update their directory entries with their preferred printers. My application programs can retrieve this information and quickly and easily locate the correct printer for each user. You may wish to allow users to override the printer when they are away from their desks, and you may let them choose several printers with different capabilities so that they can select the most appropriate printer for the specific print job.

Publishing iSeries printers to the LDAP directory is not documented; I was told about this facility from one of my IBM contacts. Here, I am sharing this information with you.

In Operations Navigator, select the machine that you wish to publish data from. Right-click on the machine name and select Properties, as shown in Figure 1.

http://www.mcpressonline.com/articles/images/2002/Network%20Directory%20ServicesV400.png

Figure 1: Select the machine that you wish to publish data from.

Figure 2 illustrates the main LDAP publishing screen found on the Directory Services tab. This system is already configured to publish system information and user information. Click Details to publish printers.

http://www.mcpressonline.com/articles/images/2002/Network%20Directory%20ServicesV401.png

Figure 2: On the Directory Services tab, click Details to publish printers.


Figure 3 illustrates the System Information Details view of the Directory Server publishing function in Operations Navigator. This display is presented when you click the Printers tab at the upper left corner of the screen. When you initially open the display, all printers known to your iSeries will be displayed in the left column. You may add or remove printers by selecting printers from the list on the right and clicking the buttons in the middle of screen.

http://www.mcpressonline.com/articles/images/2002/Network%20Directory%20ServicesV402.png

Figure 3: The System Information Details view displays all printers known to your iSeries.

Allow up to 10 minutes for the publishing utility to locate and publish your printers. From this point forward, the directory will automatically be updated if an active printer becomes inactive or if an inactive printer becomes active.

Windows Printers

Printers that are defined and controlled by a Microsoft Windows NT/2000/XP server can be published to your iSeries LDAP server to provide a single repository of printers for all of your applications to use. See the Redbook Implementation and Practical Use of LDAP on the IBM eServer iSeries Server (SG24-6193-00) for detailed, step-by-step instructions for publishing Windows printers.

LDAP Schema

LDAP is a self-defining facility. It contains a schema (a form of data dictionary) with over 2,500 predefined classes provided by IBM to handle common business and technical entities. You may either use the publishing tools or populate these classes yourself. You may also add classes and/or attributes to the schema to store any type of information you would like to store in your directory. The guideline is to store information that is retrieved frequently but updated rarely.

IBM's LDAP Directory Schema: Overview is a superb online Web-based tool that allows you to explore IBM's standard schema definitions.

Accessing LDAP

After you set up LDAP and begin publishing information to your LDAP-based directory server, you will want to retrieve information from the directory. You may use standard tools or write your own program access.

Mail Clients

Most modern mail clients--including Microsoft Outlook, Lotus Notes, and Netscape's mail client--allow you to configure an LDAP directory server as an address book. The client will search the directory server as well as any local address books to resolve names. You may add several servers to your mail client and search them all in the order specified.

The IBM Directory Management Tool (DMT)

IBM provides a tool to retrieve information about the structure of your LDAP schema as well as the data contents of the server. You may login with sufficient authority and use the DMT to add, delete, or update entries in the directory.

Figure 4 illustrates a partial screen capture of a DMT display that lists the printers published to this particular server.


http://www.mcpressonline.com/articles/images/2002/Network%20Directory%20ServicesV403.png

Figure 4: The DMT view of the Directory Information Tree lists the printers published to a particular server.


Figure 5 shows the detailed attributes of an AFP/DS printer as displayed in the DMT. Notice that the printer reports that it is Active.


http://www.mcpressonline.com/articles/images/2002/Network%20Directory%20ServicesV404.png

Figure 5: The DMT Summary display for a printer shows the detailed attributes of an AFP/DS printer.

Qshell Commands

The LDAP Directory Server for iSeries is delivered with a set of commands that you may run from within the Qshell command interpreter. The "ldapsearch" utility is the most useful; it allows you to test and run queries in the Qshell environment to ensure that your query syntax is correct when you write programs. For details on LDAP command support, see the Directory Server topic under Networking ->TCP/IP in the IBM iSeries Information Center.

APIs

A full set of APIs suitable for use with RPG, COBOL, C, or C++ may be found in the IBM Information Center by using the new API Finder and selecting Directory Services from the drop-down list of system components.

Java JNDI

If you are writing applications in Java that need to access your LDAP-based Directory Server, you will want to use the Java Naming and Directory Interface (JNDI). You may download this Java API from http://java.sun.com/products/jndi/ and also locate documentation and sample code.

The JNDI provides a Java interface to retrieve and update any type of directory server that supports the JNDI interface (both LDAP and DNS are supported).

Other Uses

My goal is to use the iSeries LDAP Directory Server as a repository of our company's infrastructure-type information, such as branches, office addresses, equipment, people, jobs, etc. Our strategy is to start small, leveraging the user and printer information published automatically by IBM to the server.

We will write Java JNDI-based programs to retrieve data from the server, and then we'll front-end the Java programs with RPG programs that replace our existing utility programs that read database files today. This way, we can gradually migrate our applications to LDAP as a central repository.

Since we use Lotus Domino as our mail server while our parent and affiliate companies use other mail servers, we will all use LDAP as a common address book and repository of contact information to locate people and resources through the greater company.

Over time, we will migrate more information to the LDAP Directory Server and add program function to retrieve and use this information.

A Final Note

Since we enabled the system publishing feature for LDAP and we use Management Central to keep our information updated and current, we can now see all of our products, PTFs, and a great deal of other information published by Management Central to the LDAP Directory Server. At V5R2, IBM's Quality of Service (QoS) facility now publishes QoS policy rules to your LDAP server.

It appears that IBM will continue to leverage the LDAP Directory Server as a repository for information about the system as time progresses. In fact, it seems that the LDAP Directory Server is becoming the main OS/400 information repository.

Bob Cancilla is the author the popular IBM Press book, IBM eServer iSeries: Built for e-business. He also wrote Getting Down to e-business with AS/400, available from MC Press.

Bob Cancilla

Bob Cancilla is the IBM Rational System i Software evangelist helping to set strategy and adoption of IBM Rational application development and life cycle management software for System i customers. Bob joined IBM after over 30 years as an IT executive in the insurance industry. He was the founder of the System i eBusiness electronic user group www.ignite400.org, is the author of four books, and is an industry leader in the areas of application architecture, methodology, and large-scale integrated systems development.

 

MC Press books written by Bob Cancilla available now on the MC Press Bookstore.

 

Getting Down to e-business with AS/400 Getting Down to e-business with AS/400

Explains the major issues, concepts, and technologies necessary to implement an AS/400-based e-business solution—from planning for e-business to selecting an ISP.

List Price $89.00
Now On Sale
 
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

RESOURCE CENTER

  • WHITE PAPERS

  • WEBCAST

  • TRIAL SOFTWARE

  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things


    Read Node.js for Enterprise IBM i Modernization Now!

     

  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!

     

  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.

     

  • Progressive Web Apps: Create a Universal Experience Across All Devices

    LANSAProgressive Web Apps allow you to reach anyone, anywhere, and on any device with a single unified codebase. This means that your applications—regardless of browser, device, or platform—instantly become more reliable and consistent. They are the present and future of application development, and more and more businesses are catching on.
    Download this whitepaper and learn:

    • How PWAs support fast application development and streamline DevOps
    • How to give your business a competitive edge using PWAs
    • What makes progressive web apps so versatile, both online and offline

     

     

  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks

     

     

  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.

     

  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact

     

  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using NodeRun.com as a pre-built development environment

     

     

  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.

     

     

  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.

     

     

  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails

     

  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.

     

     

  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks

     

     

  • Node Webinar Series Pt. 1: The World of Node.js on IBM i

    SB Profound WC GenericHave you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
    Part 1 will teach you what Node.js is, why it's a great option for IBM i shops, and how to take advantage of the ecosystem surrounding Node.
    In addition to background information, our Director of Product Development Scott Klement will demonstrate applications that take advantage of the Node Package Manager (npm).
    Watch Now.

  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.