On 23 October 2012 07:39, Dave McHenry <[email protected]> wrote: > A manager of ours read a link that claims OPENLDAP could be used to replace > our current mainframe security. Everyone I've asked about this laughs and > says impossible. Is it impossible?
I'm assuming you mean running OpenLDAP on some other platform, rather than on z/OS. If you mean running it on z/OS, what's the point - saving the cost of RACF? Regardless, many of my points below apply to this case too. It's not impossible, but it's not ready for prime time for several reasons. First, there is no off the shelf implementation. You'd need something at the SAF level that would capture all SAF requests, translate them into appropriate LDAP requests, direct them to the LDAP server, retrieve the answers, translate them into the expected SAF results, and return them to the SAF caller. Maybe some ISV has already done this, and who knows - maybe IBM will announce it one day. I'm not aware that either has happened. So probably you are on your own here. Second, there are SAF calls that have no LDAP equivalent, or map only in an ugly fashion into LDAP concepts. These may be in use by IBM code, by your own applications, or by ISV code. And there are RACF interfaces that are not SAF. Third, there is the performance and concurrency issue. Are you willing to have your production logons and auth checks subject to network delays, server failures, and so on? Well, sure, you can beef up the LDAP server infrastructure, add transparent failover and such, isolate the network so it's fast, etc. etc. But will it reliably support the hundreds or thousands of SAF calls per second that are common in a big production environment? Fourth, there is a chicken and egg issue: RACF (or whichever of its two competitors you use) generally starts before TCP/IP, and TCP/IP configuration depends to some degree on the result of SAF calls. Well, the world is full of bootstrapping problems that get solved one way or another, but it does have to be solved. It sounds as though your manager thinks there is an off the shelf, drop-in solution (what was the problem being solved, btw?), and I think there's virtually no chance of that. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
