Conditions:
An LDAP directory is used to authenticate users.
Mainframe user names are stored on a separate LDAP directory that is not used for authentication.
Implementation scenario:
Set up a separate LDAP server and create a new set of objects – one per user – in the second directory.
The LDAP search filter would:
(1) Find the user's object with the attribute and
(2) Find the attribute within the object that has the mainframe user name.
Advantages:
The object is stable over time.
Using Assign Access (in MSS), several options are available for searching the second LDAP directory and authorizing users to use automated sign-on:
Select UPN as the key to a secondary LDAP search filter.
Specify the LDAP attribute in the authenticating directory from which the UPN is obtained.
Select an LDAP attribute value in the authenticating directory as the key to a secondary LDAP search filter.
Select a literal value
Disadvantage:
This scenario requires two LDAP directories.