Kind of a chicken and egg. How can you IPL if your LDAP server is not responding? Remember, as is, the MF can shrug off any LAN issues. You have the power to put the operation of the MF at the mercy of the company LAN.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Corjan Nota Sent: Tuesday, April 07, 2009 10:44 AM To: [email protected] Subject: Re: HMC and LDAP We are thinking to authenticate operators on our company wide LDAP Server residing on AIX behind a VPN with SSL/TLS. Not my preferred platform, but I can live with it for now and we'll see how things are going. Security management defines all operator userids on the HMC and in the Active Directory. I don't expect operator handling will go much better, but maybe there will be more awareness and ...it's a management decision. Maybe we can migrate to the LDAP Tivoli Directoy Service on z/OS in the nearby future (not implemented yet), but then we will get specific operator authentication problems if this LDAP system must be IPL-ed. Whatever we choose: an envelop procedure is always necessary. Corjan Nota -----Original message----- Van: IBM Mainframe Discussion List [mailto:[email protected]] Namens Hal Merritt Verzonden: dinsdag 7 april 2009 16:32 Aan: [email protected] Onderwerp: Re: HMC and LDAP I am somewhat aware of how MS LDAP works, and am horrified. A key issue to me is that, by default, any user may display most all information about any other in a given 'container'. Even if that is not true, our shop still considers the risks of exposing the 'family jewels' (the SE/HMC LAN) to -any- such attack vectors as unacceptable. YMMV ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
