Allow access to back end (RACF) through the well established LDAP method.
Original Publication Date: 2001-Nov-03
Included in the Prior Art Database: 2003-Jun-19
A method is disclosed to allow a native Security Manager to perform authentication on behalf of an LDAP (Lightweight Directory Access Protocol) server using a well-established LDAP method and based upon industry-supported LDAP schema. An LDAP Server can rely upon the Security Manager for authentication rather than performing its own authentication. Through LDAP Server configuration parameters and schema additions, portions of a namespace may be designated to use the native Security Manager for authentication. This designation can be at a subtree level or down to an individual directory entry within the namespace. Authentication to an LDAP Server is accomplished by performing an LDAP bind operation that supplies a distinguished name and a password. Authentication to a native Security Manager in the 390 environment can be accomplished by calling a service and providing a userid and a password. With this invention, additional attributes are defined that can be added to an LDAP directory entry to correlate the userid needed by the Security Manager with the distinguished name passed to the LDAP server. Either this new attribute, ibm-nativeId, or one defined in industry standard schema, uid, can be used to establish the mapping of userid to distinguished name. It may not be desirable to establish these userid to distinguished name mappings for all entries within the directory. Configuration parameters for the LDAP server are provided to indicate whether all subtrees managed by the server should use the Security Manager for authentication, or only certain subtrees. It is also possible to configure the server so that only entries that contain the ibm-nativeId will use Security Manager authentication within the specified subtrees. This provides an LDAP administrator or security administrator with much flexibility in establishing which entries will use the Security Manager for authentication. This method is specifically intended to work well with web servers that present a userid and password challenge to users. Typically, the web server will take the userid supplied by the user and perform an LDAP search for some "person"-type directory entry with that userid. If an entry is found, the distinguished name of that entry is used to perform an LDAP bind operation, authenticating the user. With the proper LDAP server configuration, the Security Manager userid and password can be entered by the user at the web server challenge and the LDAP server will allow the Security Manager to perform the authentication.