The LDAP sign-on support can be used with the Basic Security Manager (BSM) and with an External Security Manager (ESM) such as CA Top Secret or BIM Alert. Figure 2 shows the interactive interface sign-on panel.
The LDAP sign-on process consists of these simplified steps:
1. The user enters the corporate userid and password into a sign-on panel that’s been adapted to support long userids and passwords (up to 64 characters).
2. The LDAP sign-on program connects to the LDAP server and authenticates using the userid and password entered by performing LDAP bind and search operations.
3. If the LDAP authentication was successful, it looks up the user’s record in the mapping file on z/VSE and gets the associated short z/VSE userid and password (both up to eight characters) from the record.
4. The LDAP sign-on program passes the corresponding z/VSE userid and password to the underlying security manager (BSM or ESM) through the existing sign-on process.
All security definitions regarding permissions and access to resources occur in z/VSE based on the associated short z/VSE userid. If the security setup already exists, it can be used as is. However, the user will sign on z/VSE using his long LDAP userid and password. Figure 3 shows an example of integrating z/VSE in an identity management system.
The mapping file stores records for mapping long (corporate) LDAP userids to short internal z/VSE userids. However, not all users are required to sign-on using their LDAP userid. If, for example, the LDAP server isn’t available (e.g., due to network errors), system administrators and operators should still be able to sign onto z/VSE to fix the problem. So, you can define some userids as not being LDAP-enabled. For such userids, no LDAP authentication, no communication with the LDAP server and no mapping occur. The non- LDAP-enabled users sign in using their (short) z/VSE userid and password. This is possible even if the LDAP server isn’t available.