You use the ALTUSER or ALU command to activate
users for LDAP.
Before you begin
You need the fully-qualified domain name for each user you want to authenticate with
LDAP. For example, the Windows whoami
/fqdn command returns results similar to the
following:C:\Users\juser>whoami /fqdn
CN=J User,OU=Users,OU=Company Offices,DC=companyname,DC=com
Procedure
-
Enter the following command to activate a user for LDAP.
Note that the fully-qualified domain name for each user is enclosed in single quotation marks.
ALU [Login ID] MFA(FACTOR(AZFLDAP1)
ACTIVE TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
DC=companyname,DC=com'))
Where:
- [Login ID] is the z/OS® user name.
-
ACTIVE activates the AZFLDAP1 authenticator for the user ID.
- DN is the fully-qualified domain name for the user.
-
If needed, enter the following command to defer activating a user for LDAP:
ALU [Login ID] MFA(FACTOR(AZFLDAP1)
TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
DC=companyname,DC=com')
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the
AZFLPAD1 authenticator for the user
ID:
ALU <USERID> MFA(FACTOR(AZFLDAP1) ACTIVE)
-
Enter the following command to display IBM® MFA
information for a user profile:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
FACTOR = AZFLDAP1
STATUS = ACTIVE
FACTOR TAGS =
DN:CN=J User,OU=Users,OU=Company Offices, DC=companyname,DC=com
-
If needed, enter the following command to deactivate a user for LDAP:
ALU [Login ID] MFA(FACTOR(AZFLDAP1)
NOACTIVE)