[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: Restrict system access question
From: Elardus Engelbrecht <elardus.engelbrecht () SITA ! CO ! ZA>
Date: 2017-07-30 13:16:20
Message-ID: 5313464362014057.WA.elardus.engelbrechtsita.co.za () listserv ! uga ! edu
[Download RAW message or body]
Mark Jacobs wrote:
> Thanks for this information. It doesn't look like the LDAP server uses the terminal \
> class for checking access. It's letting the userid in, whereas when I attempt to \
> logon to TSO using it, ...
Besides other good replies you got from others, I also have [at least] three \
different ids for LDAP server:
Note 1: I am NOT using terminal access at all.
Note 2: No System Special or Group Special ids are used at all! I will create ids as \
needed, I don't let other things to create ids. Rulez and regulationz of course! ( \
sic ;-D )
Note 3: We have a custom written selfhelp website "portal" which is using my LDAP \
server to reset RACF ids after comprehensive background tests were completed. The \
users are identifying themselves with their credentials including RACF id so their \
ids can be reset when needed.
1. id for LDAP STC - access to own datasets and FACILITY profiles:
BPX.CONSOLE
BPX.DAEMON
BPX.SERVER
BPX.WLMSERVER
IRR.DIGTCERT.LIST
IRR.DIGTCERT.LISTRING
IRR.RAUDITX
IRR.RUSERMAP
Not all profiles are needed, but for us, yes, they are needed.
2. In LDAP config this:
adminDN "racfid=< id ???>,profiletype=user,o=???"
sslAuth serverAuth
sslCertificate <self-signed cert>
sslCipherSpecs <whatever>
sslKeyRingFile <keyring>
#listen ldap://:389 <--- that is a comment line
listen ldaps://:<port nr>
3. Then I have several [RESTRICTED] ids used by the portal to reset other RACF ids \
which have access to these:
FACILITY - IRR.PWRESET.OWNER.????
PROGRAM - **
> ... I'm failing as expected.
I have also some group special persons [using TSO] in case these users can't properly \
identify themselves on that portal.
HTH!
Groete / Greetings
Elardus Engelbrecht
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic