ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

ldapsearch and EIM

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    ldapsearch and EIM


    We are implementing EIM on our IBMi systems. I am using the CHGUSRPRF and CRTUSRPRF commands to
    create the EIM associations. My role is only to provide CL programs for the security
    administrators to call from a menu option. Sounds simple enough. But since the EIM association
    is not stored with the user profile, is there a way to validate that the EIM association exists?

    I was told that the "ldapsearch" program executed in QSHELL might do this; however, I dont know
    what authoirity is required to run that program in PASE. I have *SECADM, *SERVICE, etc., which seems
    like that would suffice, but still get get an error.

    CHGUSRPRF USRPRF(MYPROFILE)
    EIMASSOC(MYPROFILE *SOURCE *REPLACE *CRTEIMID)

    $
    ldapsearch
    /QOpenSys/usr/bin/-sh: ldapsearch: 0403-006 Execute permission denied.
    $

    Any help is greatly appreciated!
    Tags: None
  • #2
    Normally, everyone (public) has execute permission to the ldapsearch command.

    This is not meant to imply that you will have authority to all of the ldap servers or directories. But, you should have execute permission to the command itself, which is where it is failing for you.

    It seems that something is different on your system, like someone revoked the execute permission.

    To see the Unix-type permissions from QShell type: ls -l /usr/bin/ldapsearch

    It should show a symlink to the QSYS/QGLDSEARCH program. You might also want to check the authorities to that.
    • Likes 1

    Comment

    • #3
      It appears to be *USE authority.
      lrwxrwxrwx 1 qsys 0 48 Apr 16 2018 /usr/bin/ldapsearch -> /QSYS.LIB/QGLDSEARCH.PGM

      Comment

      • #4
        That all looks correct, matches what I have.

        Do you have a different ldapsearch in your PATH? Try typing "whence ldapsearch" to see which directory its finding the tool in.

        Comment

        • #5
          whence ldapsearch comes back with blanks on the screen. I tried which ldapsearch and see this:

          > which ldapsearch
          /usr/bin/ldapsearch
          $

          Comment

          • #6
            So instead of going into QSH by doing this: CALL QP2TERM, I did this: STRQSH. I get different results. I do not get the permission errors using STRQSH. I guess I just don't work with QSHELL enough to know that there was a difference. I have always using QP2TERM, at least for the limited amount of work I have done using SSH. Or am I missing something?

            Anyway, now I have to figure out how to get what I am looking for using ldapsearch command. I want to find/verify that a user exists. This is the string I am using:
            ldapsearch -D os400-profile=MYUSERPRF MYPASSWD -b 'cn=identifiers,ibm-eimdomainname=EIM_SYSTEM' -s one cn=*' /uid > home/ldapoutput.txt

            I am not really sure this is correct. Any help is appreciated!

            Comment

            • #7
              ldapsearch is implemented as a native IBM i program. QShell can run those, but it can also run AIX programs. PASE (QP2TERM, QP2SHELL, et al) can only run AIX programs, it cannot run native ones. (Though, you can invoke QShell from PASE if needed.)

              I can't tell you the syntax of these commands, I haven't used them in 10+ years. But, that information should be readily avialable on the web.

              Comment

              • #8
                Thanks Scott. Never knew. And the syntax is quite difficult, but you are right, there is a lot of information out there.

                Comment

                Previous template Next
                Working...
                X