We are thinking to authenticate operators on our company wide LDAP Server residing on AIX behind a VPN with SSL/TLS. Not my preferred platform, but I can live with it for now and we'll see how things are going. Security management defines all operator userids on the HMC and in the Active Directory. I don't expect operator handling will go much better, but maybe there will be more awareness and ...it's a management decision.
Maybe we can migrate to the LDAP Tivoli Directoy Service on z/OS in the nearby future (not implemented yet), but then we will get specific operator authentication problems if this LDAP system must be IPL-ed. Whatever we choose: an envelop procedure is always necessary. Corjan Nota -----Original message----- Van: IBM Mainframe Discussion List [mailto:[email protected]] Namens Hal Merritt Verzonden: dinsdag 7 april 2009 16:32 Aan: [email protected] Onderwerp: Re: HMC and LDAP I am somewhat aware of how MS LDAP works, and am horrified. A key issue to me is that, by default, any user may display most all information about any other in a given 'container'. Even if that is not true, our shop still considers the risks of exposing the 'family jewels' (the SE/HMC LAN) to -any- such attack vectors as unacceptable. YMMV ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
