Global Options (CA ACF2)

You only configure the global options for the CAACF2_UTF backend once. You must configure them before configuring any database CAACF2_UTF sections. All option keywords that follow must start in column one of the configuration file.
cszscss
You only configure the global options for the CAACF2_UTF backend once. You must configure them before configuring any database CAACF2_UTF sections. All option keywords that follow must start in column one of the configuration file. The options are:
  • backend caacf2_utf
    Begins the global options for 
    all 
    configured CAACF2_UTF back ends. This option can only be configured once.
    Default
    : n/a
  • disable_lid_ufn_mapping
    Disables UFNs for all CAACF2_UTF back ends. With this option, the CA LDAP Server returns all attribute names with their native CA ACF2 field names, including the user-defined fields.
    Default
    : n/a
  • disable_segments
    Indicates that when a one-level search for LIDs occurs, a simple LIST command issues without any PROFILE or SEGMENT data on the command. By default, PROFILE and SEGMENT data is included. This option saves time when searching for a high number of LIDs and only the basic information from the LIST command is needed. For example:
    disable_segments
  • disable_user_def
    Disables the dynamic query and registration of user-defined fields to the CA LDAP Server. All subsequent CA LDAP Server operations -- search, add, modify, and delete -- will have access 
    only
     to the base LID fields.
    Default
    : n/a
  • enableNoExpirePswd
    Specifies the password is set to not expire. When using the CA LDAP Server with CA PAM (Privileged Access Manager), for CA PAM to manage passwords, the password must be set to NO-EXPIRE. This configuration option, in conjunction with an LDAP modify, ensures the password is set to not expire. Do not add this option if not using CA PAM.
    Default
    : not enabled
    Example
    : enableNoExpirePswd
  • enable_refresh
    Applies recent changes. CA ACF2 must have a modify command issued for the changes to take effect when altering user profile data. Issue the following command:
    F ACF2,REBUILD(USR),CLASS(P)
    When altering the OMVS or LINUX user profile data, CA ACF2 must have an additional command issued to have the changes take effect. Issue the following command to activate changes to OMVS user profile records:
    F ACF2,OMVS
    Issue the following command to activate changes to LINUX user profile records:
    F ACF2,OMVS(LINUX)
    If you enable this option, the CA LDAP Server issues these commands for an ADD or MODIFY of NDS or LNOTES user profile records. The commands also issue for the ADD, MODIFY, or DELETE or OMVS or LINUX user profile records. The default is to not issue the modify command.
  • enable_refresh_xref
    Issues an F ACF2,NEWXREF when configured. This is not issued by default.
    If enable_refresh_xref option is set in the slapd.conf file, the following ACF2 command will be issued when XREF ROL, RGP, or SGP records were added or modified:
    F ACF2,NEWXREF,TYPE(ROL|RGP|SGP)
    Example: Message returned for command using ROL type
    When the NEWXREF,TYPE(ROL) command is issued, you see the following message on the console:
    ACF79302 ROLE XREF TABLE RE-BUILT
  • ptktappl
    Specifies the application ID (APPLID) that is passed on the RACROUTE VERIFY call. The ESM uses this value to identify the encryption key during PassTickets generation and authentication. The application ID used for the PassTickets generation must be the same as the ID that is used for authentication. When using CA LDAP Server with CA Chorus, set this option to the same value with which CA Chorus is configured. This configuration is important when using IBM PassTickets to authenticate users at a host.
    Default:
     CALDAP
    Example:
     ptktappl CALDAP
  • ptktReqrId
    (Optional) Specifies a server-level user ID that is cached in memory. This user ID is used to authenticate the server for all post-bind operations, allowing the server to request a passticket on behalf of a client logon.
    Example: 
    ptktReqrId passgen
  • ptktReqrPwFile
    (Optional) Specifies the relative or fully qualified name of the encrypted password file that corresponds to the slapd.conf ptktReqrId option. The file is generated using the authid command line utility.
    Example: 
    ptktReqrPwFile ./authid.pwd
    Example: 
    ptktReqrPwFile /
    ldap_install_directory
    /authid.pwd
  • UFNOverride file_name
    Specifies a file name that contains overrides of the default UFN values. Using this option, the pre-defined attribute UFNs can be changed to values of your choice. This option overrides the base CA ACF2 LID record values for 
    all 
    configured CAACF2_UTF databases. The path specified can be a relative or fully qualified path or file name.
    Default
    : n/a
    For example:
    UFNOverride ./base_acf2_overrides.conf
    For directions to create this file, see the UFN Override File Format section.