Activate and deactivate users for LDAP

You use the ALTUSER or ALU command to activate users for LDAP.

Before you begin

You need the fully-qualified domain name for each user you want to authenticate with LDAP. For example, the Windows whoami /fqdn command returns results similar to the following:
C:\Users\juser>whoami /fqdn
CN=J User,OU=Users,OU=Company Offices,DC=companyname,DC=com

About this task

Procedure

  1. Enter the following command to activate a user for LDAP. Note that the fully-qualified domain name for each user is enclosed in single quotation marks.
    ALU [Login ID] MFA(FACTOR(AZFLDAP1)
    ACTIVE TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
    DC=companyname,DC=com'))
    Where:
    • [Login ID] is the z/OS® user name.
    • ACTIVE activates the AZFLDAP1 authenticator for the user ID.
    • DN is the fully-qualified domain name for the user.
  2. If needed, enter the following command to defer activating a user for LDAP:
     ALU [Login ID] MFA(FACTOR(AZFLDAP1)
    TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
    DC=companyname,DC=com')    
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFLPAD1 authenticator for the user ID:
    ALU <USERID> MFA(FACTOR(AZFLDAP1) ACTIVE)
  3. Enter the following command to display IBM® MFA information for a user profile:
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
    ---------------------------------------      
     FACTOR = AZFLDAP1                                                           
      STATUS = ACTIVE                                                           
      FACTOR TAGS =                                                             
        DN:CN=J User,OU=Users,OU=Company Offices, DC=companyname,DC=com
  4. If needed, enter the following command to deactivate a user for LDAP:
     ALU [Login ID] MFA(FACTOR(AZFLDAP1)
        NOACTIVE)