Sounds like upper IT management at my shop. I can do *anything* so long as it doesn't cost hard dollars. And we are minimizing software & hardware costs, even if it causes problems later. Education is not the answer. I will avoid specifying what they really need. On Oct 23, 2012 8:45 PM, "Rob Schramm" <[email protected]> wrote:
> Then give CA the boot and get RACF. There are people that can help you > convert. IBM will be more than happy to add it. > > If you want to do the conversion yourself, there is a Redbook. > > If CA won't work on the contract $$$, then show them the door. CA is > either a strategic partner.. or not. I wouldn't put up with it. Of course > if this is just the fact that the software isn't free... Educate the > manager. > > Rob Schramm > On Oct 23, 2012 8:10 PM, "Dave McHenry" <[email protected]> wrote: > > > The "problem" being "solved" is twofold > > 1. Cost of CA TSS > > 2. Desire to eliminate CA. > > > > On Tue, Oct 23, 2012 at 4:52 PM, Tony Harminc <[email protected]> wrote: > > > > > On 23 October 2012 07:39, Dave McHenry <[email protected]> wrote: > > > > A manager of ours read a link that claims OPENLDAP could be used to > > > replace > > > > our current mainframe security. Everyone I've asked about this laughs > > and > > > > says impossible. Is it impossible? > > > > > > I'm assuming you mean running OpenLDAP on some other platform, rather > > > than on z/OS. If you mean running it on z/OS, what's the point - > > > saving the cost of RACF? Regardless, many of my points below apply to > > > this case too. > > > > > > It's not impossible, but it's not ready for prime time for several > > reasons. > > > > > > First, there is no off the shelf implementation. You'd need something > > > at the SAF level that would capture all SAF requests, translate them > > > into appropriate LDAP requests, direct them to the LDAP server, > > > retrieve the answers, translate them into the expected SAF results, > > > and return them to the SAF caller. Maybe some ISV has already done > > > this, and who knows - maybe IBM will announce it one day. I'm not > > > aware that either has happened. So probably you are on your own here. > > > > > > Second, there are SAF calls that have no LDAP equivalent, or map only > > > in an ugly fashion into LDAP concepts. These may be in use by IBM > > > code, by your own applications, or by ISV code. And there are RACF > > > interfaces that are not SAF. > > > > > > Third, there is the performance and concurrency issue. Are you willing > > > to have your production logons and auth checks subject to network > > > delays, server failures, and so on? Well, sure, you can beef up the > > > LDAP server infrastructure, add transparent failover and such, isolate > > > the network so it's fast, etc. etc. But will it reliably support the > > > hundreds or thousands of SAF calls per second that are common in a big > > > production environment? > > > > > > Fourth, there is a chicken and egg issue: RACF (or whichever of its > > > two competitors you use) generally starts before TCP/IP, and TCP/IP > > > configuration depends to some degree on the result of SAF calls. Well, > > > the world is full of bootstrapping problems that get solved one way or > > > another, but it does have to be solved. > > > > > > It sounds as though your manager thinks there is an off the shelf, > > > drop-in solution (what was the problem being solved, btw?), and I > > > think there's virtually no chance of that. > > > > > > Tony H. > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
