action.skip

Common Settings

These settings apply to either a z/OS or a non-z/OS system configured for Automated Sign-On.

User Principle Name (UPN)

An LDAP attribute value in the form of a User Principal Name (UPN) may be used as a direct source for a user's host name or as an element in a search filter for a secondary LDAP directory.

A UPN generally takes the form of an email address, such as auser@domain.com. Enter the name of the LDAP attribute in the authenticating directory that contains the UPN value.

To determine the user's name on the host computer, MSS looks at the user's UPN value in LDAP. Then the portion before the @ sign is used either

  • as the user's host name itself (when the UPN is selected for mapping directly without the use of a secondary LDAP directory).

    For example, a UPN of auser@domain.com would result in the user's name on the host of "auser" (the portion before the @).

    -- or --

  • as an element in a search filter for a secondary LDAP directory.

Secondary LDAP directory

User names may be stored in a secondary LDAP directory, which can be different from the directory used for authentication.

Click the switch to Enable and expand the settings for a secondary LDAP server.

Server type

Select the type of LDAP server that is used to store user names. The options on this panel change depending on the LDAP server type you select. If you do not see your specific LDAP server in the list, select Generic LDAP Compliant Directory Server (RFC 2256).

Security options

Data can be passed between the MSS Server and the LDAP server as clear text or encrypted. The type of encryption used depends on your LDAP server. TLS is available for all server types, and Kerberos v5 is available for Windows Active Directory.

  • Plain Text. By default, Management and Security Server transmits data between the MSS Server and the LDAP server in clear text. If you choose this option, you should prevent users from accessing the network link between these two servers.

  • TLS. When using TLS as the security option for an LDAP server, you must import the server’s trusted certificate. Use the IMPORT CERTIFICATE button (below). If you are presented with multiple certificates, it is best to import the CA certificate.

  • Kerberos v5. When you select Windows Active Directory with Kerberos, you must enter the name of the Kerberos key distribution centers. Multiple key distribution centers, delimited by commas or spaces, can be used. If you do not know the name of the Kerberos key distribution center, enter the fully-qualified DNS name of the Active Directory server.

    The option under the key distribution center name field allows you to encrypt all data transmitted over the Kerberos connection. By default, only user names and passwords are passed securely between the Administrative and LDAP servers using Kerberos. Encrypting all data is more secure, but may increase performance overhead.

Server name

Enter the LDAP server name as either a name or a full IP address. When using TLS, this LDAP server name must exactly match the Common Name on the LDAP server's certificate.

Multiple server names, delimited by commas or spaces, can be used for failover support. If an LDAP server is down, the next server on the list will be contacted. In this case, all fields specified on this panel that are used for LDAP connections should be available on all the LDAP servers, and should have identical configurations.

Windows Active Directory - DNS domain. When Windows Active Directory is selected (without Kerberos), you have the option to use a DNS domain instead of a specific domain controller. No further configuration is required. For more information, see LDAP Configuration.

Server port

Enter the port used by your LDAP server. The default is 389 for plain text or 636 for TLS.

If you are using Active Directory, you may wish to set the server port to the global catalog port, which is 3268 (or 3269 over TLS). Global catalog searches can be faster than referral-based cross-domain searches.

Username and Password

Provide the username and password for an LDAP server account that can be used to access the directory in Read-only mode.

Generally, the account does not require any special directory privileges but must be able to search the directory based on the most common directory attributes (such as cn, ou, member, and memberOf). Re-enter the password in the Password confirmation box.

Note

The username must uniquely identify the user in the directory. The syntax depends on the type of LDAP server you are using.

  • For Windows Active Directory with Plain Text, enter

    NetBIOS domain\sAMAccountName (such as exampledomain\username)

    userPrincipalName (such as username@exampledomain.com)

    or

    distinguished name (such as uid=examplename,DC=examplecorp,DC=com).

  • For any other LDAP server type, enter the distinguished name (such as uid=examplename,DC=examplecorp,DC=com).

If this account password changes, be sure to update the account password here and apply the new settings. To avoid this problem, you may wish to set up an account that is not subject to automatic password aging policies, or that cannot be changed by other administrators without notice.

Directory search base

Enter the distinguished name of the node in the directory tree you want to use as the base for MSS Server search operations.

Examples: DC=my_corp,DC=com, or o=my_corp.com

For more information about how to describe the search base, contact the LDAP administrator for your organization.

Test Connection

Click Test Connection to verify that the secondary LDAP server can connect to the MSS Server. If the test fails, consult the logs to resolve the issue.

Search filter used with secondary LDAP directory

When Secondary LDAP Server is enabled, the search filter on the secondary LDAP directory can be used in Assign Access to authorize users or groups to access specific sessions.

Choose and configure a method for obtaining a user's name on the host computer from the secondary LDAP directory.

  • Use value derived from the UPN

    When using a secondary LDAP directory, "auser" is used as the derived value to look up another value in the secondary directory that contains the user's name. For instance, a search filter could be created for a secondary lookup, where “(some attribute in 2ndary=auser)”

    Enter the attribute from the secondary directory.

  • Use value obtained from an attribute in the authenticating LDAP directory

    Alternatively, Automated Sign-On can use a value of another attribute in the authenticating directory as the value in the search filter to find the object in the secondary LDAP directory containing the user's name.

    Enter the attributes from both the authenticating and the secondary LDAP directories.

Next step