1
z/OS Server / Convert from RACF authentication to LDAP authentication
« on: December 20, 2022, 05:58:57 AM »
Hi all,
We are currently running CMOD on z/OS with RACF authentication. The customers are using the fat-client
This is implemented with a slightly modified version of the sample security exit.
However we want to convert to the content Navigator front-end instead of the fat client.
This gives us the opportunity to implement Single Sign-on. Something which is on our wish list for a long time.
A big bang scenario is out of the question. So i was thinking of running two instances for a period of time, one with RACF one with LDAP. Both accessing the same database.
I have done some experiment and i have some questions.
In the INI files i can separate all the setting of the authentication in different INI files. But there is also the "system parameters / Login Information" flag to LDAP authentication.
I found this sets a flag in the ARSSYS DB2 table. This is common data between the two instances. What is the effect of that? Does this prohibit the RACF option?
Secondly i have tried the ARSLSYNC cmd and got it to work. But it deletes the RACF user entries if they are not in the AD.
So now i have to add them again to enable the RACF authentication to work. Is there a way to prevent ?
The intention is to have a relative short conversion period. So some ad-hoc tinkering during this period is not a problem.
Any comment on the total idea and the specific questions is welcome.
Best Regards, leo de Jong
We are currently running CMOD on z/OS with RACF authentication. The customers are using the fat-client
This is implemented with a slightly modified version of the sample security exit.
However we want to convert to the content Navigator front-end instead of the fat client.
This gives us the opportunity to implement Single Sign-on. Something which is on our wish list for a long time.
A big bang scenario is out of the question. So i was thinking of running two instances for a period of time, one with RACF one with LDAP. Both accessing the same database.
I have done some experiment and i have some questions.
In the INI files i can separate all the setting of the authentication in different INI files. But there is also the "system parameters / Login Information" flag to LDAP authentication.
I found this sets a flag in the ARSSYS DB2 table. This is common data between the two instances. What is the effect of that? Does this prohibit the RACF option?
Secondly i have tried the ARSLSYNC cmd and got it to work. But it deletes the RACF user entries if they are not in the AD.
So now i have to add them again to enable the RACF authentication to work. Is there a way to prevent ?
The intention is to have a relative short conversion period. So some ad-hoc tinkering during this period is not a problem.
Any comment on the total idea and the specific questions is welcome.
Best Regards, leo de Jong