Native authentication

The z/OS LDAP server has the ability to authenticate to the Security Server through the TDBM, LDBM, or CDBM backends by specifying a Security Server password or password phrase on a simple bind to the backend. Authorization information is still gathered by the LDAP server based on the DN that performed the bind operation. The LDAP entry that contains the bind DN should contain either the ibm-nativeId or uid attribute to specify the Security Server ID that is associated with this entry. The ID and password or password phrase are passed to the Security Server and the verification of the password or password phrase is performed by the Security Server. Another feature of native authentication is the ability to change your password or password phrase on the Security Server by issuing an LDAP modify command.
Note:
  1. The SDBM backend does not have to be configured in order to use native authentication.
  2. After a successful native authentication bind, the bound user can send LDAP requests to any of the configured backends. If SDBM is configured, SDBM operations are performed under the context of the Security Server ID that was used during the native authentication bind. For all other backends, LDAP operations are performed using the normal bind information (the bind DN and the groups to which it belongs).
  3. The use of RACF® passtickets is supported by the z/OS LDAP server when using native authentication. The job name associated with the LDAP server started task should be used as the application name when generating RACF passtickets. See z/OS Security Server RACF Macros and Interfaces for more information about RACF passtickets.