Managing DSM user authentication and user authorization with LDAP
Use LDAP to manage both Data Server Manager (DSM) user authentication and user authorization (Administrator or User).
About this task
You can use an external LDAP
server to both authenticate DSM users and manage DSM user authorization. You
can use the following modes to both manage your DSM user authentication
and authorization using LDAP:
- Simple mode
- Use simple mode (refer table 2) to authenticate if the DSM user
exists in a centralized location on the LDAP side. and all entries
under this centralized location are assumed to be the DSM user. This
mode assumes that two proper groups exist in the same location in
LDAP for authorizing DSM users:
- One group contains distinguished names (DNs) of users who have an exact mapping to DSM users that have an administrator role.
- The other group is for users with a standard user role.
- All DSM users must be in the same container of the LDAP directory. The DSM users in this container must belong to at least one of the user and administrator groups. Any entries in this container not belonging to one of these groups will not be treated as DSM user
- The two groups for privileges must be siblings in a container of the LDAP directory. The value of the members in the groups must be the DNs of the users.
- The member attribute of the groups must be accessed anonymously, or by a bind account with proper privileges in LDAP.
- Advanced mode
- Users can use advanced mode (refer table 3) if the DSM users/groups exist in multiple locations on the LDAP side. All entries that meet the customized search conditions, and that belong to at least one of the groups under those locations, are assumed as DSM user
- RACF mode
- All z/OS users performing authentication and authorization based on z/OS Tivoli Directory Server with RACF data back end must follow the configuration described in table 4 while performing the following procedure. All DSM users must be grouped under profiletype=USER sub-tree and all Groups must be grouped under profiletype=GROUP sub-tree. All groups must contain member DN information under racfgroupuserid attribute.
Note: To use Simple, Advanced, and
RACF mode, refer to Table 1.