Configure LDAP

You must configure the LDAP settings.

Before you begin

You must have already configured an AT-TLS profile, as described in Configure an AT-TLS profile. This procedure builds upon that existing profile by defining an AT-TLS outbound rule.

About this task

Configuration data for LDAP is stored in the RACF® database. The LDAP configuration data include settings related to the AZFLDAP1 authentication load module.

Procedure

  1. Configure an AT-TLS outbound rule for LDAP. The rule must allow the IBM MFA services AZF#IN00 started task to negotiate the client side of a server-authentication TLS connection with the LDAP server. The HandshakeRole role is Client.
    Note: The code fragment is for example purposes only and is not complete. See SYS1.SAZFSAMP(AZFTTLSX) for a sample of connecting to a secure LDAP port. 
    TTLSRule AZFClientRule
{
  Jobname                         AZF*             
  LocalAddr                       ALL              
  RemoteAddr                      ALL              
  RemotePortRange                 ?outboundPort?             
  Direction                       Outbound         
  Priority                        255              
  TTLSEnvironmentActionRef        eActAZFClient   
  TTLSGroupActionRef              AZFGroupAction1
  TTLSConnectionActionRef         AZFConnAction1    
}

TTLSConnectionAction AZFConnAction1
{
  TTLSCipherParmsRef AZFCipherParms
  TTLSConnectionAdvancedParmsRef AZFConnAdvParms1
  CtraceClearText Off
  Trace 255
}
:
:
  2. Execute AZFEXEC and choose AZFLDAP1.
  3. Provide the following:
    Table 1. AZFLDAP1 Factor Attributes
    Setting Allowed Values Description
    Primary Server Host Name Valid host name or IP address The hostname (or IP address) of the primary LDAP server.

    The hostname must be sufficiently qualified for web clients to resolve the hostname.

    Primary Server Port Valid port number The port number used on the primary LDAP server for authentication. Default: 636.
    Secondary Server Host Name Valid host name or IP address The hostname (or IP address) of the secondary LDAP server.

    This is required only if you have multiple servers. The default is blank.

    The hostname must be sufficiently qualified for web clients to resolve the hostname.

    Secondary Server Port Valid port number The port number used on the secondary LDAP server for authentication.

    This is required only if you have multiple servers. The default is 0.

    Tertiary Server Host Name Valid host name or IP address The hostname (or IP address) of the tertiary LDAP server.

    This is required only if you have multiple servers. The default is blank.

    The hostname must be sufficiently qualified for web clients to resolve the hostname.

    Tertiary Server Port Valid port number The port number used on the secondary LDAP server for authentication.

    This is required only if you have multiple servers. The default is 0.

    Timeout Number of seconds, from 1 through 180 The number of seconds a server is allowed to take before a retry will occur if there is no response. The default is 3 seconds.
    Initial Trace Level 0 through 3 The trace level used for tracing events within the AZFLDAP1 plug-in. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is zero.
  4. See Configure IBM MFA Compound In-Band for information about configuring IBM MFA Compound In-Band.
  5. Press F3 to save your changes and exit.