<rant> You really need to educate your management that just because you have RACF on z/OS doesn't mean you have it for VM. If you have two cars, an oldsmobile and a toyota, and the toyota has a steering wheel, that doesn't mean the oldsmobile can use it at the same time. RACF for VM and RACF for z/OS are two different products and require two different licenses.
Let me recommend VM:Secure in place of RACF. It's a much better product, easier to use and far more capable. And let your management know that running without an ESM is just an invitation to hackers, both internal and external. VM's built-in security is pretty good, but someone knowlegeable in VM systems can break it. (True story: About 18 years ago I got a job as SP with a small company that had a fairly new VM system. First day, I said I'd need a userid. The boss said the guy that gives userids was out that day. Six minutes later, I went back to him, having logged on as MAINT, and told him his security sucked. They didn't have an ESM. Six minutes to log on to maint without knowing a thing about the system beforehand. Old-timers will know exactly how I did it.) Finally, what company do you work for? So that I'll know never to apply there. I already have enough problems with clueless management where I work now. </rant> All that said, the answer to your question, "is it possible to authenticate VM against LDAP on z/OS?" The answer is, in principle, yes. The real, practical, answer is no. VM does not interface with LDAP directly. There are no products on the market or available for download, to the best of my knowledge with 21 years of experience with VM, that will allow you to do this. So what you are left with is writing your own. IBM supplies the ESM stubs (HCPRPI, HCPRPW and the like) that allow this and provides documentation (somewhere) about how to write ESM interfaces. You could, in principle, if you are a REALLY good assembler programmer (and writing assembler code for CP is two orders of magnitude harder than writing application code in assembler) you could write an interface to have VM contact a remote LDAP for authentication, possibly over CTC's or hypersockets. You'd have to have some kind of default authentication in there in case communications were down or z/OS was down. This is not a job I'd want to try. Just writing three CP exits a few years ago took me four months full time and I crashed the second-level system more than 400 times and the first-level system (when I put the exits on it) about half a dozen times. I learned more about CP internals and how to use VMDUMPTL than I ever wanted to know. Do you have the time to take on this project? You could farm it out, but, frankly, buying RACF or VMSecure would be cheaper. "An Optimist is just a Pessimist with no job experience" - Scott Adams Gordon W. Wolfe, Ph.D. Boeing VM Enterprise Servers 425-865-5940 -----Original Message----- From: James Melin [mailto:[EMAIL PROTECTED] Sent: Monday, September 20, 2004 8:29 AM To: [EMAIL PROTECTED] Subject: Securing VM using LDAP? Is it possible to set up VM that you can authenticate against LDAP? We don't have RACF for VM and our management will not currently sign off on 'paying for something we already have'. As we have RACF for z/OS, and we don't run z/os under vm, is it possible at all to have VM authenticate use id's via LDAP? ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
