Native LDAP with z/OS RACF

You can use IBM's Resource Access Control Facility (RACF) to manage access profiles and services for Lightweight Directory Access Protocol (LDAP) in a System z environment, including a host attached to a TS7700.

The RACF security server functions as a layer in the operating system to verify user authentication and authorization to system resources. RACF provides:
  • Identification, classification, and protection of assets.
  • Control of access to protected assets.
  • User authentication through identification and verification of user IDs and passwords.
  • User authorization through maintenance of access rights to protected resources.
  • Access audits by logging instances of access to protected assets.
RACF sets security policies for files and file types to enable consistent security policy application for existing files and future files.
While RACF can address all secure access needs for System z servers and operating systems, it does not provide a direct interface for external storage devices that can be used to tie those together. When RACF is connected to an LDAP server through a Secured Database Manager (SDBM), the LDAP server can provide access to the user and group information stored in RACF. The SDMB acts as an LDAP front end for the RACF database. You can use SDBM with RACF and an LDAP server to:
  • Add users and groups to RACF.
  • Add users to groups.
  • Modify RACF user and group information.
  • Retrieve RACF user and group information.
  • Delete users and groups from RACF.
  • Remove users from groups.
  • Retrieve an RACF user password.
Parent topic: LDAP and role-based access control