Defining participation in native authentication

There are many different configuration options for native authentication which are mentioned in this section.

The main configuration option, useNativeAuth, can be set to selected, all, or off. If you want all entries in a certain subtree to participate in native authentication then you would choose all for this option. However, if you would like specific entries in the specific subtrees to be subject to native authentication, then choose selected for the useNativeAuth option. When selected is used, only entries with the ibm-nativeId attribute are subject to native authentication.

Next, consider what portions of your directory should have the ability to participate in native authentication. If the entire directory should participate, then set the nativeAuthSubtree configuration option to all. If there are different subtrees in your directory which contain entries that need to bind natively or perform native password or password phrase modifications, then you must list all the subtrees with multiple nativeAuthSubtree configuration options.

Note: If the DN that is listed in the nativeAuthSubtree options contains a space character in it, then the entire DN must be enclosed in quotes in the LDAP server configuration file.

In order for an entry to bind natively or perform a native password or password phrase modify, that entry must contain a mapping to the Security Server identity that is associated with the user. This can be accomplished by using either the ibm-nativeId attribute or the uid attribute. If your directory entries already contain a single-valued uid attribute (which holds the Security Server user ID), then these entries are already configured for native authentication if you plan on using the useNativeAuth all option. If you do not plan on using uids for mapping, then you can specify the ibm-nativeId attribute for your Security Server ID associations and this attribute is used with selected or all specified for the useNativeAuth option. If both the ibm-nativeId and uid attributes exist in an entry, the ibm-nativeId value is used. The user ID specified by either the uid or ibm-nativeId attributes must contain a valid OMVS segment with an OMVS UID value in the Security Server. If a native entry has an existing userPassword attribute value because it was originally created under a non-native authentication subtree and the Security Server identity that is specified has not yet been defined in the Security Server, the LDAP server attempts an LDAP simple bind. Similarly, if a Security Server identity is defined but it does not contain an OMVS segment, the LDAP server attempts an LDAP simple bind.

If you use the useNativeAuth option, also specify the nativeUpdateAllowed option to enable native password or password phrase changes in the Security Server to occur through the TDBM, LDBM, or CDBM backend.

An entry that is participating in native authentication cannot normally contain the userPassword attribute. An LDAP add request of an entry that contains a userPassword attribute value fails. An LDAP modify request that enables an entry for native authentication removes any existing userPassword attribute values for the entry.