The IBM® Diamondback tape library will support remote authentication of user credentials using LDAP (with optional RACF authentication) or Kerberos.
When remote authentication is enabled, the tape library passes user authentication requests to the remote authentication server. The authentication server authenticates the user's ID and password. If they are valid, the tape library assigns the user a role based on the user's group membership on the authentication server.
When remote authentication is enabled, you can perform the following security tasks on multiple systems from the remote authentication server:
- Add and remove users
- Reset or change passwords
- Assign, change, or delete user group assignments
- Respond to new security requirements. For instance, password rules can be changed in one location without reconfiguring multiple systems. By comparison, when you use local authentication, each individual system maintains an internal database of user IDs, with corresponding passwords and roles.