z/OS: Native authentication user administration
Native authentication provides the added feature of many-to-one mapping of ISAM users to SAF user IDs. Most of the existing administrative tasks work similarly with native authentication. Operations such as user create, user show, adding a user to an ACL entry or group, and all user modify commands (except password) work the same as Security Verify Access configured against any other LDAP registry. Users can change their own SAF passwords with the web-based pkmspasswd utility. Multiple users can have the same ibm-nativeId, and all bind with the same password. For this reason, prevent many-to-one mapped users from changing the SAF password. Otherwise, there is an increased risk that users might inadvertently lock their peers out of their accounts.
pdadmin sec_master> group modify SAFusers add user1
pdadmin sec_master> acl create deny_pkms
pdadmin sec_master> acl modify deny_pkms set group SAFusers T
pdadmin sec_master> acl attach /Webseal/server_name/pkmspasswd deny_pkmsThere is no administration command ready for immediate use to set the ibm-nativeId entry for a user. To that end, the following instructions assist the management of ISAM users with an associated nativeId. The user create command does not change:
pdadmin sec_master> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1
pdadmin sec_master> user modify user1 account-valid yesThe password (ChangeMe1, in this example) is set to the user’s userpassword entry in LDAP, which has no effect with native authentication enabled. In production environments, use the utility program provided with the Security Directory Server for z/OS to remove userpassword values from LDAP. This prevents password access if native authentication is inadvertently disabled. To set the ibm-nativeId entry for a user, create an ldif file, called a schema file, similar to the following:
dn: cn=user1,o=tivoli,c=us
changetype: modify
objectclass: ibm-nativeAuthentication
ibm-nativeId: SAF_usernameWe can load the ldif file by using the ldapmodify command on z/OS as follows:
ldapmodify -h host_name -p port -D bind_DN -w bind_pwd -f schema_file
To run the idsldapmodify from an Security Directory Server client on a distributed system, the format of the ldif file changes slightly.
dn: cn=user1,o=tivoli,c=us
The SAF command to reset a user’s password is as follows:
objectclass: inetOrgPerson
objectclass: ibm-nativeAuthentication
ibm-nativeId: SAF_usernameALTUSER SAF_username PASSWORD(new_password)
In addition to resetting the password, the command marks the password as expired, which requires the password to be changed during the next login. If wanted, the NOEXPIRED option can be added to the command to prevent that behavior. The SAF_username must be defined as a z/OS UNIX System Services user. That is, the SAF_username must be defined on z/OS with an OMVS segment. The following line is an example of a SAF command to define SAF_username as a UNIX System Services user:
altuser SAF_username omvs(home(/u/SAF_username) program(/bin/sh) uid(123456))
To use native authentication, we must turn off the auth-using-compare stanza entry. To do so, edit the [ldap] stanza of the ivmgrd.conf and webseald.conf file and change the line as follows:
auth-using-compare = no
By default, authentications to LDAP are made with a compare operation, rather than a bind.
After we configure the IBM Security Directory Server for z/OS for use with Security Verify Access, the next step is to set up the policy server.
Parent topic: IBM Tivoli Directory Server for z/OS installation and configuration