You can use a z/OS® LDAP
(Lightweight Directory Access Protocol) server with an SDBM back end
for client authentication with WebSphere® Application
Server. The SDBM back end manages access between the LDAP server and RACF®.
About this task
This
task is optional and should be completed by your z/OS security administrator. The LDAP settings
used in this configuration supplement the configuration instructions
for using LDAP on z/OS. For
more information, see Managing users with Lightweight Directory Access Protocol (LDAP).
Procedure
- LDAP configuration:
The following
example is used to explain how the LDAP configuration file slapd.conf is
configured for SDBM:
listen ldap://:3399
maxConnections 2000
adminDN “profiletype=user”
database sdbm GLDSDBM
suffix “sysplex=yourSysplexName,o=yourOrganization”
sizeLimit 2000
timeLimit 3600
For a description of keywords, see z/OS Integrated
Security Services LDAP Server Administration and Use.
Note: Only
profiletype=user is specified
in the configuration file. This configuration makes it possible for
multiple Bind Distinguished Names (BDN) to act as an LDAP Administrator
DN.
The BDN must be specified in the LDAP user registry properties
under in the WebSphere Application
Server administrative console.
Security requests from the WebSphere Application Server
are transferred to RACF (after
global security is activated) under the LDAP Administrator DN of the
BDN. The BDNracid must be a RACF-defined user
with a valid OMVS segment This RACF user
ID must have the system-wide AUDITOR attribute.
- WebSphere Application
Server user registry settings:
On WebSphere Application Server, some global
security settings must be set to use LDAP SDBM as user registry.
- In the administrative console go to and
enter the values listed in the following table. The Automatically
generated server identity check box must be checked.
Note: To convert lowercase user IDs or passwords that are forwarded
to RACF to uppercase, Ignore
case for authorization must be checked.
| Property |
Value (description, actual) |
| Primary administrative user name |
RACF user
ID for master administrator |
| Type |
Custom |
| Host |
IP address or URL of LPAR where LDAP is listening |
| Port |
LDAP listen port as specified in slapd.conf |
| Base distinguished name (DN) |
suffix as in slapd.conf |
| Bind distinguished name (DN) |
racfid=BDNracid,profiletype=user,suffix |
| Bind password |
password of BDNracid |
- In Advanced LDAP user registry settings,
add the filters according to the following table:
| Property |
Value |
| User filter |
racfid=%v |
| Group filter |
racfid=%v |
| User ID map |
*:racfid |
| Group ID map |
*:racfid |
| Group member ID map |
racfconnectgroupname:racfgroupuserids |
Note: The BDN must be a RACF user
ID with the
AUDITOR attribute, a valid OMVS segment
(specific or implied by a default segment), and no TSO segment. These
configurations help avoid misuse of the BDN account, but are not required.
Use
a non-expiring password for the BDN user ID to prevent the WebSphere Application Server
cell from halting because of internal authentication and authorization
failures.
If your organization requires this user ID to expire,
ensure that you have a process in place to change the BDN password
before it expires.