IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ldap distributed mapped ID with the httpd server on z/OS

  • 1.  ldap distributed mapped ID with the httpd server on z/OS

    Posted Mon September 15, 2025 09:52 AM

    I try to work with the httpd  and RACMAP and distributed identities

    Do anyone know how  to enable an LDAP based mapped ld with the httpd server on z/OS ?

    For LDAP identity, i know that the following works fine with the ldap SDBM backend:

    <Location /ldap_racf.html>                                       
      AuthName "zos_sdbm"                                            
      AuthBasicProvider ldap                                         
      AuthType Basic                                                 
      AuthLDAPURL ldap://192.168.0.66:3389/sysplex=tx?racfid?sub?none
      Require valid-user                                             
      Require ldap-group racfid=SYS1,profiletype=GROUP,sysplex=tx    
      AuthLDAPGroupAttribute racfgroupuserids                        
      AuthLDAPBindDN "racfid=UUUUUUUU,profiletype=user,sysplex=tx"    
      AuthLDAPBindPassword xxxxxxx                                     
    </Location>                                                      

    but i  tried the following for mapped IDs and it did not work...i don't know how to tell the httpd server to use mapped ID like Websphere allows to do.

    With WAS liberty you set the attribute mapDistributedIdentities="true" on the safCredentials element in the server.xml configuration file, and this is what drives the mapping to take place.

    But i don't know if it's possible with the httpd server on z/OS 

    <Location /ldap.html>                                                   
      AuthName "zos_ldbm"                                                   
      AuthType Basic                                                        
      AuthBasicProvider ldap                                                
      AuthLDAPURL ldap://192.168.0.66:3389/ou=zxc_users,o=zcx,o=ibmmmop,c=fr?cn?sub?
      Require valid-user                                                    
      AuthLDAPBindDN "cn=admin"                                             
      AuthLDAPBindPassword secret  
    </Location>              

    The mapping itself is ok:

    RACMAP ID(PRICHAR) MAP +                               
    USERDIDFILTER( +                                       
    NAME('cn=prichar,ou=zxc_users,o=zcx,o=ibmmmop,c=fr')) +
    REGISTRY( +                                            
    NAME('ldap://192.168.0.66:3389')) +                    
    WITHLABEL('Map LDAP prichar to PRICHAR')               
    SETROPTS RACLIST(IDIDMAP) REFRESH   



    ------------------------------
    philippe richard
    ------------------------------


Related Content