The "problem" being "solved" is twofold 1. Cost of CA TSS 2. Desire to eliminate CA.
On Tue, Oct 23, 2012 at 4:52 PM, Tony Harminc <[email protected]> wrote: > On 23 October 2012 07:39, Dave McHenry <[email protected]> wrote: > > A manager of ours read a link that claims OPENLDAP could be used to > replace > > our current mainframe security. Everyone I've asked about this laughs and > > says impossible. Is it impossible? > > I'm assuming you mean running OpenLDAP on some other platform, rather > than on z/OS. If you mean running it on z/OS, what's the point - > saving the cost of RACF? Regardless, many of my points below apply to > this case too. > > It's not impossible, but it's not ready for prime time for several reasons. > > First, there is no off the shelf implementation. You'd need something > at the SAF level that would capture all SAF requests, translate them > into appropriate LDAP requests, direct them to the LDAP server, > retrieve the answers, translate them into the expected SAF results, > and return them to the SAF caller. Maybe some ISV has already done > this, and who knows - maybe IBM will announce it one day. I'm not > aware that either has happened. So probably you are on your own here. > > Second, there are SAF calls that have no LDAP equivalent, or map only > in an ugly fashion into LDAP concepts. These may be in use by IBM > code, by your own applications, or by ISV code. And there are RACF > interfaces that are not SAF. > > Third, there is the performance and concurrency issue. Are you willing > to have your production logons and auth checks subject to network > delays, server failures, and so on? Well, sure, you can beef up the > LDAP server infrastructure, add transparent failover and such, isolate > the network so it's fast, etc. etc. But will it reliably support the > hundreds or thousands of SAF calls per second that are common in a big > production environment? > > Fourth, there is a chicken and egg issue: RACF (or whichever of its > two competitors you use) generally starts before TCP/IP, and TCP/IP > configuration depends to some degree on the result of SAF calls. Well, > the world is full of bootstrapping problems that get solved one way or > another, but it does have to be solved. > > It sounds as though your manager thinks there is an off the shelf, > drop-in solution (what was the problem being solved, btw?), and I > think there's virtually no chance of that. > > Tony H. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
