I tried using WAS 5.0 on Red Hat. Configured LDAP Server and RACF on
OS/390 and came close but was finally told by IBM WAS Development that SDBM
only authentication for WAS on Linux is not supported. You can always use
TDBM with DB2 but that is not an attractive option. IBM has this working
with WAS 5.1 and sent me the following.
1) Information provided here is AS-IS, as SDBM backend z/OS LDAP is not
officially tested and supported.
2) The document is for 5.1. Any release prior to 5.1 will work except for
group, i.e., mapping to group only works after 5.1.
Assumptions:
1) User login to WebSphere security with RACFID, and user is authenticated
with DN of format like racfid=suimgti,profiletype=user,cn=myracf and
password to LDAP.
2) All RACF groups to which a user belongs are stored in multi-value
attribute racfconnectgroupname in user object. The attribute could be
returned when perform object scope search with user's DN as base DN.
3) Any group name used in WebSphere security could be found from
racfconnectgroupname attribute.
Test: I perform this testing against 5.1, and no code change is required in
5.1. The same functionality could be backported to was5.0.
How to map role to group:
1) From LDAP user registry panel, start LDAP type with IBM Directory
Server.
2) Fill all fields.
3) Be sure to check "ignore case" as racf user name and group name are case
insensitive.
4) Save data.
5) go to LDAP advanced setting panel
6) change "user filter" and "group filter" to "racfid=%v", and change "user
ID map" and "group id map" to "*:racfid".
7) change "Group member ID Map" field to
"racfconnectgroupname:racfgroupuserids". (note that racfgroupuserids
attribute is not really used yet, an dit is reserved to get all members
from a given group name, and you can replace it with dummy attribute).
The above blew up on in the LDAP Server on parsing the
racfconnectgroupname. I have WAS 5.1, plan to install it and try again.
If you have any luck please let me know.
Richard W. Lauck
Cornerstone Systems, Inc.
Sr. Systems Programmer
IBM Certified S/390 Parallel Sysplex Systems Programmer
IBM Certified S/390 Parallel Sysplex Operator
IBM Parallel Sysplex Top Gun
(425)489-4579 Direct - Office - Voice Mail
(425)486-4501 Home
(888)505-4534 Pager
James Melin
<[EMAIL PROTECTED]
nepin.mn.us> To
Sent by: Linux on [EMAIL PROTECTED]
390 Port cc
<[EMAIL PROTECTED]
IST.EDU> Subject
WebSphere on z/Linux and LDAP/RACF
user authentication
02/10/2004 12:38
PM
Please respond to
Linux on 390 Port
<[EMAIL PROTECTED]
IST.EDU>
Has anyone gotten WAS 5 on z/Linux to authenticated the IBM LDAP with the
RACF back-end?
It is premature for us to go to native authentication on z/Linux, so having
WebSphere on z/Linux use the local OS for authentication is not practical.
We are attempting to configure was on z/Linux to talk to the IBM directory
server on z/OS, but it is being reluctant. Ergo, there is something I do
not understand.
So, we have an ID set up to access facility class irr.listuser. Lets call
that ID FRED for the sake of the argument. This has a non expiring
password.
Security says the ID and password are stored in RACF upper case.
WAS asks for the following. Where I have a valid value I will supply what
we used.
Server User ID FRED
Server User Password {freds password}
Host Hawk <---------------letting DNS handle this part.
Port 389
Base Distinguished Name (DN)
racfid=FRED,profiletype=user,ou=racf,o=co.hennepin.mn,c=us
Bind Distinguished Name (DN)
racfid=FRED,profiletype=user,ou=racf,o=co.hennepin.mn,c=us
Bind Password {freds password}
Search Timeout 120
reuse connection Y Ignore case Y SSL Enabled Y
and default settings for SSL configuration
When attempting to turn this on, We get this:
Feb 10, 2004 com.ibm.ws.console.securit security.validation.exceptio
2:23:33 PM CST y.SecurityValidation n
Feb 10, 2004 com.ibm.ws.console.securit security.ctr.ckpwd.exception
2:23:33 PM CST y.ConnectToRuntime
Feb 10, 2004 com.ibm.ws.security.core.S SECJ0297E: Error checking
2:23:33 PM CST ecurityAdmin password for user :FRED
Feb 10, 2004 com.ibm.ws.security.regist SECJ0336E: Authentication
2:23:33 PM CST ry.ldap.LdapRegistryImpl failed for user FRED
Feb 10, 2004 com.ibm.ws.security.regist SECJ0352E: Could not get the
2:23:33 PM CST ry.ldap.LdapRegistryImpl users matching the pa
I don't really see any good documentation that covers this particular
issue. Has anyone done this?
According to our security people
