Configuring LDAP for IBM z/OS RACF Authentication

Edit online

About this task

This section explains how to setup user and group authentication for the server using IBM z/OS RACF. Once configured, users and groups can be setup with any of the existing User Roles on the server as long as the user profile exists in RACF and the user is valid.
Note: To setup authentication via IBM z/OS RACF, the LDAP server must be running on z/OS with the SDBM back end. See z/OS RACF documentation for how to setup and LDAP server with the SDBM back end.

Procedure

  1. In the GUI, click on Settings->Administration on the top Navigator.
  2. Under Administration click on the Modify link next to LDAP/AD server.
  3. On the LDAP Configuration dialog click on the Advanced tab to bring up the Advanced configuration page.
  4. Using the following example as a guide, add and update the following XML to configure the LDAP configuration to RACF. 
    <server description="IBM Copy Services Manager LDAP Registry">
    <server description="IBM Copy Services Manager LDAP Registry">
    <server description="IBM Copy Services Manager LDAP Registry">
    <ldapRegistry baseDN="profiletype=user,sysplex=PLEXNAME" bindDN="racfid=csmusr,profiletype=user,sysplex=SVPLEX1 "bindPassword="{xor}asBSC124==" host="hostname.domain.com" id="ldap" ldapType="IBM Tivoli Directory Server" port="389" realm="RACFRealm"> 
    <idsFilters groupFilter="racfid=%v" groupIdMap="*:racfid" groupMemberIdMap="racfconnectgroupname:racfgroupuserids" userFilter="racfid=%v" userIdMap="*:racfid"/>
    </ldapRegistry>
    <federatedRepository> 
    <extendedProperty dataType="String" entityType="PersonAccount" name="racfid"/>
    <extendedProperty dataType="String" entityType="Group" name="racfid"/>
    <primaryRealm name="FederatedRealm">
    <participatingBaseEntry name="profiletype=user,sysplex=PLEXNAME"/>
    <userDisplayNameMapping inputProperty="racfid" outputProperty="racfid"/> 
    <userSecurityNameMapping inputProperty="racfid" outputProperty="racfid"/>
    <groupSecurityNameMapping inputProperty="uniqueName" outputProperty="uniqueName"/>
    <uniqueGroupIdMapping inputProperty="uniqueName" outputProperty="uniqueName"/> </primaryRealm> </federatedRepository> 
    </server>
  5. Click on the Test button to confirm that setup is valid.
    Note: The test may return indicating that no users were found. This is a known issue when attempting to query LDAP for RACF using a wildcard. If no users are found, proceed to step 6 and validate the configuration but attempting to add a user in step 7.
  6. Click on Save to save the configuration.
  7. Click on the Add Access button from the Settings->Administration panel and select Search for existing Users or Groups to add access in order to look up and find RACF users which can be granted access to the server.