Recent Posts

11

MP Server / ARSLSYNC Question

« Last post by JeanineJ on May 02, 2024, 06:32:56 AM »

This is for implementations that use the Thick Client for users to retrieve documents.
I have finally gotten ARSLSYNC working in my sandbox enviroment. YAY Me!
I'm not really thrilled with what I'm seeing.
We are using sAMAccountName for the BIND and MAPPED attributes for LDAP which track back to how we identify employees and contractors in my company.
For the SYNC we're setting USER_FILTER to objectClass=user memberOf... and for GROUP_FILTER = objectClass=group cn=CMOD*dev (yes I'm skipping typing in the full text, just go with me.)
When I run the SYNC I only get the value for the User ID but not the Name or Descriptions that we use when manually loading a user to CMOD. IBM Lab Services says that's all we get and I'm not thrilled. I like to see names and departments that go with the user ID.
Does anyone else care? Has anyone else be able to solve this? Lab Services suggested I request an enhancement to ARSLSYNC.
Because of this we're delaying our ARSLSYNC provisioning until next year.

12

z/OS Server / Re: CMOD 10.5 Release Notes

« Last post by Ed_Arnold on April 30, 2024, 11:57:54 AM »

At 10.5.0.7 the default TLS (SSL) level for both clients and the server flips from TLS V1.2 to TLS V1.3.

If implementing TLS for the first time, things might be easier if all of CMOD, clients and servers, are at 10.5.0.7 first.

10.5.0.8 Release Note --- recommended for TLS V1.3

Changed in 10.5.0.8 is that if GSK_V3_CIPHER_SPECS_EXPANDED is not specified and you want TLS 1.3, development has added TLS 1.3 ciphers to the default ciphers.

If prior to 10.5.0.8, specify  GSK_V3_CIPHER_SPECS_EXPANDED=130313011302C02CC02BC030C02FC024C023 to ensure the TLS 1.3 cipher pairs (1301, 1302, 1303) are available.

Ed

13

z/OS Server / Re: CMOD 10.5 Release Notes

« Last post by Ed_Arnold on April 30, 2024, 11:52:55 AM »

10.5.0.7 - the default IMDS switches from V1 to V2

The Instance Metadata Service Version 2 (IMDSv2) adds protections; specifically, IMDSv2 uses session-oriented authentication with the following enhancements: IMDSv2 requires the creation of a secret token in a simple HTTP PUT request to start the session, which must be used to retrieve information in IMDSv2 calls

14

Announcements & News / Re: ALERT: GSKit 8.0.55.26+ & Post-Quantum Cryptography

« Last post by Justin Derrick on April 26, 2024, 11:41:42 AM »

Just a quick update since CMOD v10.5 FP8 was released this week.  The new FixPack doesn't change the behaviour of CMOD, because altering the current behaviour would mean that OnDemand would no longer be FIPS compliant.

The documentation has been updated to describe the change, but I imagine it would be trivial to miss this very important change:  https://www.ibm.com/docs/en/cmofm/10.5.0?topic=clients-setting-up-ssl-windows

-JD.

15

MP Server / Re: ARSJESD

« Last post by JMichael on April 24, 2024, 08:40:47 AM »

Thank you.

16

MP Server / Re: ARSLSYNC Issues

« Last post by JeanineJ on April 24, 2024, 07:27:12 AM »

He did and I now have an even larger list of users and groups than I had yesterday after I pulled all the filtering off the LDAP_USER_FILTER.
Enclosing the (memberOf...) statement in "" didn't help.

17

MP Server / Re: ARSLSYNC Issues

« Last post by rjrussel on April 23, 2024, 11:46:14 AM »

That isn't correct. Base DN needs to be DC=XXX,DC=XXXX,DC=XXXXX,DC=com

Your IBM Consultant will reach out to you.

18

MP Server / Re: ARSLSYNC Issues

« Last post by JeanineJ on April 23, 2024, 11:41:31 AM »

The BASE DN is different because we're using LDAP to authenticate the small set of users accessing documents with the Thick Client:
ARS_LDAP_BASE_DN="OU=XXXXX People,DC=XXX,DC=XXXX,DC=XXXXX,DC=com"

19

MP Server / Re: ARSLSYNC Issues

« Last post by rjrussel on April 23, 2024, 11:12:40 AM »

You are missing the ARS_LDAP_BASE_DN parameter. Can you share that?

20

MP Server / ARSLSYNC Issues

« Last post by JeanineJ on April 23, 2024, 09:10:38 AM »

I'm attempting to run ARSLSYNC on my RHEL7 CMOD 10.5 development box. It's been giving me fits. No matter what I do the only way I'm getting any output is with these settings in ars.cfg
ARS_LDAP_SERVER_TYPE=AD
#ARS_LDAP_USER_FILTER=(&(objectClass=user)(memberOf=CN=CMOD_XXX_Business_dev,"OU=XXXX Groups,DC=xxx,DC=xxxx,DC=xxxxx,DC=com"))
ARS_LDAP_GROUP_USER_FILTER_USE_DN=FALSE
ARS_LDAP_USER_FILTER=(objectClass=user)
ARS_LDAP_GROUP_FILTER=(objectClass=group)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=CN
ARS_LDAP_IGN_GROUPS=Security,CMOD_Admin,CMOD_Operations
The above gives me EVERYBODY in AD except CMOD_XXX_Business_dev. I can't get the filters to work to bring in the only group with 4 users into my Dev environment. According to my identity people the group exists in AD and has 4 users defined.
If I attempt to use the USER_FILTER code ARSLSYNC doesn't find the users or group running with the just -t -v options.
Has anyone been successful using ARSLSYNC to provision users in CMOD that are part of Group?
I am in consultation with IBM Lab Services as part of a work effort to authenticate a small group of users accessing documents via the Thick Client via AD and SSL, which is working fine. Lab Services is also looking at the issue as I've sent them the trace and output.
I'm running CMOD MP 10.5.0.5 on a RHEL7 server with DB2 11
I know next to nothing about AD or LDAP.