'Re: BPX Permissions for the LDAP Server (was: Restrict system access question)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: BPX Permissions for the LDAP Server  (was: Restrict system access question)
From:       "Robert S. Hansel (RSH)" <R.Hansel () RSHCONSULTING ! COM>
Date:       2017-07-31 11:03:52
Message-ID: 001001d309ec$b231b410$16951c30$ () rshconsulting ! com
[Download RAW message or body]

Hi Elardus,

I am curious as to what prompted you to give the LDAP server access to BPX.CONSOLE \
and BPX.DAEMON. I have not found mention of the need for them in the LDAP manual.

Regards, Bob

***  Why waste valuable time traveling to a 'free' conference when you
***  can obtain the same education via our WebEx-based RACF training
***  for less than you will spend on travel costs.

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.                 *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
----------------------------------------------------------------------------
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 11-15, 2017
- RACF Level I Administration - DEC 5-8, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017
----------------------------------------------------------------------------


-----Original Message-----
Date:    Sun, 30 Jul 2017 09:16:20 -0400
From:    Elardus Engelbrecht <elardus.engelbrecht@SITA.CO.ZA>
Subject: Re: Restrict system access question

Mark Jacobs wrote:

> Thanks for this information. It doesn't look like the LDAP server uses the terminal \
> class for checking access. It's letting the userid in, whereas when I attempt to \
> logon to TSO using it, ...

Besides other good replies you got from others, I also have [at least] three \
different ids for LDAP server:

Note 1: I am NOT using terminal access at all.

Note 2: No System Special or Group Special ids are used at all! I will create ids as \
needed, I don't let other things to create ids. Rulez and regulationz of course! ( \
sic ;-D ) 

Note 3: We have a custom written selfhelp website "portal" which is using my LDAP \
server to reset RACF ids after comprehensive background tests were completed. The \
users are identifying themselves with their credentials including RACF id so their \
ids can be reset when needed.


1. id for LDAP STC - access to own datasets and FACILITY profiles:

BPX.CONSOLE          
BPX.DAEMON           
BPX.SERVER           
BPX.WLMSERVER        
IRR.DIGTCERT.LIST    
IRR.DIGTCERT.LISTRING
IRR.RAUDITX          
IRR.RUSERMAP         

Not all profiles are needed, but for us, yes, they are needed.


2. In LDAP config this:

adminDN "racfid=< id ???>,profiletype=user,o=???"
sslAuth serverAuth
sslCertificate <self-signed cert>
sslCipherSpecs <whatever>
sslKeyRingFile <keyring>

#listen ldap://:389     <--- that is a comment line
listen ldaps://:<port nr>


3. Then I have several [RESTRICTED] ids used by the portal to reset other RACF ids \
which have access to these:

FACILITY - IRR.PWRESET.OWNER.????
PROGRAM - **


> ...  I'm failing as expected.

I have also some group special persons [using TSO] in case these users can't properly \
identify themselves on that portal.


HTH!

Groete / Greetings
Elardus Engelbrecht


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic