MFA is an option you may want to look at; it allows to use other authentication factors, one of them being ldap. This plugin is the AZFLDAP1 Factor , and when you configure it, you can specify the hostname (or IP address) of the primary LDAP server. This is where you will define your AD server, so that RACF users configured with that authentication factor will authenticate by entering their AD password. You can optionally indicate that you want to implement Compound In-band Authentication , in which case the credentials entered by the RACF userid will have to be in the form of ldap_password:RACF_password (separated by colon) for enhanced and multifactor security. The compound In-band Factor Separator Specifies the character to delimit the MFA credential from the RACF Password or Password Phrase. Valid values are: +, <, =, >, &, ', (, ), ,, _, -, ., /, :, ;, ?, %, *, ", or |.
Default is :
More information can be found here:
https://www.ibm.com/docs/en/zma/2.0?topic=customization-configuring-mfa-mfa-ldap------------------------------
philippe richard
IBM Systems Lab Services
ibm france
------------------------------
Original Message:
Sent: Mon April 26, 2021 06:08 PM
From: Ian Chappell
Subject: Connecting RACF to Cloud based Active Directory
Hi
I'm looking to see if there is a solution that connects the mainframe security product to a cloud-based Active Directory (AD) solution - like Azure. I have a client who wants to do all of their userid management through AD, but they need to enable single-sign-on to include z/OS and to allow for a direct mapping of an AD ID to z/OS Userids.
They would also like to propagate a 'single-password' (I know there are security issues with that!) across all the platforms too, including z/OS.
Anyone ever come across such a solution or know if this is possible?
Thanks
------------------------------
Ian Chappell
------------------------------