You can use a z/OS® LDAP
server with an SDBM back end for Rational Team Concert™ for System z® client authentication
with WebSphere® Application
Server. SDBM provides native authentication on z/OS with RACF®.
This task is optional and should be performed by your z/OS security administrator.
This topic describes the specific LDAP settings that would
be used in this configuration. This information supplements the configuration
instructions for Rational
Team Concert for System
z using LDAP. For more information, see
RTCz: Managing users with Lightweight Directory Access Protocol (LDAP).
- LDAP configuration:
LDAP (Lightweight
Directory Access Protocol ) is configured as an SDBM back end as follows.
The example shows the LDAP configuration file slapd.conf configured
for SDBM.
listen ldap://:3399
maxConnections 2000
adminDN “profiletype=user”
database sdbm GLDSDBM
suffix “sysplex=yourSysplexName,o=yourOrganization”
sizeLimit 2000
timeLimit 3600
Refer to z/OS Integrated
Security Services LDAP Server Administration and Use for a
complete description of keywords.
Note: Notice how
only
profiletype=user is specified in the configuration
file. This enables multiple BDNs to act as an LDAP AdminDN.
The
BDN must be specified in the LDAP user registry properties under in the administrative
console.
All security requests from WebSphere will be transferred to RACF (after global security has
been activated) under the LDAP Administrator DN of the Bind Distinguished
Name. The BDNracid must be a RACF-defined user with a valid OMVS segment
This RACF user ID must have
the system-wide AUDITOR attribute.
- WebSphere user
registry settings:
In WebSphere, some global security settings
have to be set in order to use LDAP SDBM as user registry.
- In the administrative console go to and supply the values
shown below. The Automatically generated server identity check
box must be checked.
Note: The Ignore case
for authorization check box should be checked in order
to convert any lowercase user ID or password forwarded to RACF to uppercase.
| Property |
Value (description, actual) |
| Primary administrative user name |
Master Administrators' RACF user ID |
| Type |
Custom |
| Host |
IP address or URL of LPAR where LDAP is listening |
| Port |
LDAP listen port as specified in slapd.conf |
| Base distinguished name (DN) |
suffix as in slapd.conf (without the quotes) |
| Bind distinguished name (DN) |
racfid=BDNracid,profiletype=user,suffix |
| Bind password |
password of BDNracid |
- In Advanced LDAP user registry settings, add the filters
shown below:
| Property |
Value |
| User filter |
racfid=%v |
| Group filter |
racfid=%v |
| User ID map |
*:racfid |
| Group ID map |
*:racfid |
| Group member ID map |
racfconnectgroupname:racfgroupuserids |
Note: The Bind Distinguished Name should be a RACF user ID with the
AUDITOR attribute,
a valid
OMVS segment (specific or implied by
a default segment), and no
TSO segment. It
is not required, so it is an easy step to avoid misuse of the BDN
account.
Use a non-expiring password for the BDN user ID to prevent
the WebSphere cell from
halting because of internal authentication and authorization failures.
If
your organization's policies require this category of user IDs to
expire, ensure that you have a process in place to change the BDN
password before it expires.