[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Restrict system access question
From:       Elardus Engelbrecht <elardus.engelbrecht () SITA ! CO ! ZA>
Date:       2017-07-30 13:16:20
Message-ID: 5313464362014057.WA.elardus.engelbrechtsita.co.za () listserv ! uga ! edu
[Download RAW message or body]

Mark Jacobs wrote:

> Thanks for this information. It doesn't look like the LDAP server uses the terminal \
> class for checking access. It's letting the userid in, whereas when I attempt to \
> logon to TSO using it, ...

Besides other good replies you got from others, I also have [at least] three \
different ids for LDAP server:

Note 1: I am NOT using terminal access at all.

Note 2: No System Special or Group Special ids are used at all! I will create ids as \
needed, I don't let other things to create ids. Rulez and regulationz of course! ( \
sic ;-D ) 

Note 3: We have a custom written selfhelp website "portal" which is using my LDAP \
server to reset RACF ids after comprehensive background tests were completed. The \
users are identifying themselves with their credentials including RACF id so their \
ids can be reset when needed.


1. id for LDAP STC - access to own datasets and FACILITY profiles:

BPX.CONSOLE          
BPX.DAEMON           
BPX.SERVER           
BPX.WLMSERVER        
IRR.DIGTCERT.LIST    
IRR.DIGTCERT.LISTRING
IRR.RAUDITX          
IRR.RUSERMAP         

Not all profiles are needed, but for us, yes, they are needed.


2. In LDAP config this:

adminDN "racfid=< id ???>,profiletype=user,o=???"
sslAuth serverAuth
sslCertificate <self-signed cert>
sslCipherSpecs <whatever>
sslKeyRingFile <keyring>

#listen ldap://:389     <--- that is a comment line
listen ldaps://:<port nr>


3. Then I have several [RESTRICTED] ids used by the portal to reset other RACF ids \
which have access to these:

FACILITY - IRR.PWRESET.OWNER.????
PROGRAM - **


> ...  I'm failing as expected.

I have also some group special persons [using TSO] in case these users can't properly \
identify themselves on that portal.


HTH!

Groete / Greetings
Elardus Engelbrecht


[prev in list] [next in list] [prev in thread] [next in thread]