I don't know that I would argue against it at all. As Vincent pointed out, the interface is really based on LDAP anyway, with some modifications. If your shop already has ACF2 running somewhere else, why build yet another repository of user authentication information?
I do have some concerns with having the authentication service outside the box. Networks make me paranoid because they seem to break at all the wrong times. But, if there is a way to have redundancy, I would say go for it. I've used ACF2 on MVS for decades. I like it a lot. It's one of the reasons why I don't worry about rogue employees getting to things they shouldn't on my MVS systems, let alone "outsiders." Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of Eric Sammons Sent: Saturday, February 14, 2004 1:22 AM To: [EMAIL PROTECTED] Subject: Any looking at CA-ACF2? Our security group is looking at CA-ACF2 and the pam_acf2 library offering from CA. There claim is that CA has committed to releasing this source to the open source community. Thus far I have only seen a white paper that states it supports only Linux installs on the Z platform. I am arguing that with wide acceptance and support this solution is the wrong solution. I have instead suggested that we go with an LDAP pam_ldap.so solution. Given our environment includes Most Unix platforms available to the masses and that z/Linux is only just now breaking ground in our environment the CA-ACF2 pam library solution is not the best solution. How our security group opts to secure VM is really of no concern to me, CA-ACF2 at this layer is fine with me, it is the pam_acf2 library that concerns me. Has anyone else looked at this solution? Any thoughts? Any ideas how to argue against and provide a stronger case? Thanks! Eric Sammons
