We used the CA PAM module with the PAM server running on zOS. It did not catch any updates made locally and added them to ACF2 which makes sense. you don't just anyone being able to update ACF2
I have not tried it in some time. I do remember actually having to fix a problem in the source for the Linux PAM module at the time, as it left the group name all UpperCase which Linux did not like. William 'Doug' Carroll Mainframe Systems Eng Sr I Global Technology Infrastructure ECS Mainframe Operating System Services Explore IT, build IT, exploit IT - Creating excellence through teamwork. Office: (614) 213-4954 Pager: [EMAIL PROTECTED] Cell: (614) 209-0649 Fax: (614) 244-9897 http://www.jpmchase.com Yu Safin <[EMAIL PROTECTED] m> To Sent by: Linux on [email protected] 390 Port cc <[EMAIL PROTECTED] IST.EDU> Subject Re: CA's PAM-Client and PAM-Server 10/06/2006 08:35 AM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> On 10/5/06, Doug Carroll <[EMAIL PROTECTED]> wrote: > The last time I looked at the CA PAM module it is a very basic PAM module > that simply performs a adduser for you to the local passwd file. > you can setup pam.d to use the PAM server to validate login etc... but it > does not that I ever saw do any checks for resources. > Doug, if someone adds a user to a local guest, would the PAM Module catch it and update ACF2? are you using the CA PAM or the Linux distributed PAM-LDAP modules? > > > William 'Doug' Carroll > Mainframe Systems Eng Sr I > Global Technology Infrastructure > ECS Mainframe Operating System Services > Explore IT, build IT, exploit IT - Creating excellence through teamwork. > > > Office: (614) 213-4954 > Pager: [EMAIL PROTECTED] > Cell: (614) 209-0649 > Fax: (614) 244-9897 > http://www.jpmchase.com > > > > > > > Yu Safin > <[EMAIL PROTECTED] > m> To > Sent by: Linux on [email protected] > 390 Port cc > <[EMAIL PROTECTED] > IST.EDU> Subject > CA's PAM-Client and PAM-Server > > 10/05/2006 04:16 > PM > > > Please respond to > Linux on 390 Port > <[EMAIL PROTECTED] > IST.EDU> > > > > > > > We are doing a proof of concept using CA's pam-client, pam-server and ACF2. > The pam-client (we received the binaries from CA) was installed on our > Linux guest. > The pam-server was install under zOS as a started task (it is a USS > service). > ACF2 was there already for zOS security. We added the Linux segment to > ACF2. > We have run into some issues that you might be able to help us with. > 1) when we define a user on the ACF2 segment for Linux, we also seem > to need to have the same user on the Linux side in /etc/passwd. This > is contrary to my understanding. > 2) we can't seem find a way to define more than one group for the > user. We have to go to the Linux guest to add groups and membships of > those groups. > 3) we seem to be able to authenticate users during telnet/ssh sign ons > but how do we perform authentication? I.e. how do I make sure that a > user does not execute or read files. I would like to manage by > definining roles/groups and then making a user a member of one or more > groups. > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > > > ----------------------------------------- > This transmission may contain information that is privileged, > confidential, legally privileged, and/or exempt from disclosure > under applicable law. If you are not the intended recipient, you > are hereby notified that any disclosure, copying, distribution, or > use of the information contained herein (including any reliance > thereon) is STRICTLY PROHIBITED. Although this transmission and > any attachments are believed to be free of any virus or other > defect that might affect any computer system into which it is > received and opened, it is the responsibility of the recipient to > ensure that it is virus free and no responsibility is accepted by > JPMorgan Chase & Co., its subsidiaries and affiliates, as > applicable, for any loss or damage arising in any way from its use. > If you received this transmission in error, please immediately > contact the sender and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
