Yes the pam modules will work if you don't have the TDBM. Cameron
-----Original Message----- From: James Melin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 01, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: As an ancillary question to the Items raised by Cameron, when your RACF/LDAP sysprog will NOT create a TDBM backend for RACF but insists that the SDBM is sufficient (had to go down this road with WebSphere and LDAP authentication) will any of the pam modules work as expected if you don't have a TDBM backing the LDAP server? "Seader, Cameron" <[EMAIL PROTECTED] er.com> To Sent by: Linux on [EMAIL PROTECTED] 390 Port cc <[EMAIL PROTECTED] IST.EDU> Subject 07/01/2004 10:02 AM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> Questions about Securing Linux for zSeries with a Central z/OS LDAP Server (RACF) We are in the process of setting this environment up and have Questions about what was mentioned in the Redbook. 1) Syncronization of RACF and LDAP TDBM backend data. From the above manual on page 22... User administration: As some user information is duplicated in the RACF and DB2 backends, you have to ensure that this data is kept synchronized. You should consider getting some way to make sure that the overlapping data (userid, name of a user, etc.) is always updated in the RACF data base and in the DB2 backend with identical values. This might be done with some directives for the user administration process or by some locally written administration utility. ....and from page 23 of the RedPaper..... Changing user data After you have set up and populated the TDBM with user data, you have to keep some information synchronized between RACF and TDBM when adding, deleting or updating user entries. If you also set up SDBM, you can do this simply by sending an ldapmodify request for the appropriate entry with specific information to the SDBM and to the TDBM backend. It is relatively simple to write a small program for this purpose. 2) Initial Loading of RACF data into LDAP. From the above manual on page 23... Initial setup in LDAP DB2 backend with RACF data: For users who should get access to Linux systems and who are already z/OS users with user information stored in a RACF database, it is probably effective to populate the TDBM backend with that existing information and complete it with the information necessary for a Linux account. Recommendation: 1.Unload the RACF data base with IRRDBU00. 2.Extract all desired data from the flat file with a locally written REXX program. 3.Create an ldif file. 4.Insert the data into TDBM with LDAP. To do this (depending on the size of the file), use either the ldapmodify command or, for mass insertion, the ldif2tdbm utility. If you set up the SDBM backend for the z/OS LDAP server, then there is also another way to initially fill the TDBM with RACF data: If you have a program available that can read the contents of an LDAP directory and can create an ldif file out of this information, you can use it to extract all the data out of RACF via the SDBM backend (using the suffix of the SDBM). The generated ldif file can then be examined and the entries that are not to be put into the TDBM can be removed. Then complete the remaining entries with the necessary information and import the modified ldif file into DB2 (using the suffix of the TDBM). To be able to use the entries in the TDBM for Linux authentication and identification, the entries must contain at least the information for a POSIX user (uidnumber, gidnumber, username, loginshell, and home directory). Note: For Linux users you should ensure that uid numbers are unique. Are there any Ideas out there that any has on how to accomplish the above? Are there any Open Source apps out there written to accomplish any of the above? Any other Suggestions? Has anyone set this kind of environment up before and have experiences to share? Any Recommendations? TIA, Cameron Seader [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A2 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A2 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
