(ZOS) Configure to secure LDAP user registry using Resource Access Control Facility based on z/OS

We can secure the application server by configuring Lightweight Access Directory Protocol (LDAP) on z/OS with an existing Resource Access Control Facility (RACF ) back end. This integrates the native z/OS security settings defined in RACF with the WebSphere Application Server security environment.

The following requirements exist when implementing these steps:

• We must have an LDAP server configured with RACF based on z/OS. See z/OS Internet Library for more information about this configuration..

• We must use LDAP on z/OS v1r3 or higher. For v1r3 or v1r4, we must apply APAR 0A03857 - PTF UA06622 before following these steps.

• The user logs into WebSphere security with RACF user ID and is authenticated with the LDAP using a password and a Distinguished Name, the Bind DN. The Bind DN incorporates the RACF user ID and the SDBM suffix in the LDAP server configuration file. If the RACF user is johndoe, and the suffix value in the SDBM section of the LDAP configuration file is cn=myRACF, then the bind DN is: racfid=johndoe, profiletype=user, cn=myRACF.
• Each RACF group, including WebSphere security groups, a user belongs to is stored in a multi-value racfconnectgroupname attribute in the LDAP entry for the user. The attribute is returned when a base or subtree search is performed with the user's DN as the Base DN.

• The Bind DN must represent an RACF user with Special or Auditor privileges. For more information about the required RACF authority, see the z/OS Security Server RACF Command Language Reference for our z/OS version in the z/OS Internet Library.

• We must define the racfconnectgroupname attribute in the LDAP default schema.

  Remember: If we have TBDM defined in the LDAP server configuration file in addition to SDBM, the schema in TDBM is the default schema for the LDAP server. If the TDBM schema does not included the racfconnectgroupname attribute, remove TDBM from the LDAP server configuration file or add the schema in the schema.user.ldif file and schema.IBM.ldif file to the TDBM schema.

Tasks

1. Click Security > Global security.

2. Under User account repository, select Standalone LDAP registry and then click Configure.

3. Under the Type of LDAP server, click Custom.
4. Complete the fields for our LDAP environment. See Configure LDAP user registries. The users and groups must be in the sub tree of the Base DN.

5. Make sure that Ignore case for authorization is selected. RACF user names and group names are not case-sensitive.

6. Click Apply and then click Save.

7. Under Additional Properties, click Advanced LDAP user registry setting.

8. Change User filter and Group filter to racfid=%v.

9. Change User ID map and Group ID Map to *:racfid.

10. Change Group member ID map to racfconnectgroupname:racfgroupuserids.

11. Click Apply and click Save.

12. Assign the administrative role to a user. See Authorizing access to administrative roles for more information.

13. Restart WAS.

The environment is now protected by LDAP on z/OS with a RACF back end.

Related:

Local operating system registries

Configure LDAP user registries