Mainframe Storage

 View Only
  • 1.  DS8900 LDAP

    Posted Mon July 24, 2023 01:30 PM
    Hello,
     
    I'm working with a customer that want to implement LDAP for a DS8K of Mainframe environment.
     
    Although I shared with customer some documentations (Redp 5460 for example), they would like to know some other aspects that maybe, someone that already did the implementation can help.
     
    Customer doubt's:
     
    • In case of a disaster, where the LDAP probably become unavailable, what was the strategy defined to access the Storage?
    • Does the LDAP was implemented to have local access for admin users?
    • Does the LDAP was implemented to the Service users? Or the Service's users remain with the local access only?
    Please, feel free to share your experience, probably will help to decide what to do.
     
    Thanks in advance.


    ------------------------------
    Denis Augusto Pereira
    ------------------------------


  • 2.  RE: DS8900 LDAP

    Posted Sat July 29, 2023 05:54 AM

    Hi Denis,

    it appears the first two questions are answered in REDP-5460-03:

    3.3.1 Local administrator user ID considerations with LDAP 
    
    Only one DS8000 authentication policy can be active at a time: either the basic-local or the remote authentication policy. When enabling the remote authentication policy, it is a best practice to have one local user ID that is defined with the Administrator role, which can still access the DS8000 system even with the remote authentication policy active. This authentication design allows you to access the DS8000 system if the LDAP servers are not available due to a planned or unplanned outage.
    This administrator user ID is the only one that can disable remote authentication whenever you must do so. Therefore, you must plan carefully who should be responsible for it.


    This process is further detailed in:

    4.1.7 Enable Local Administrator window
    
    In the Enable Local Administrator window, which is shown in Figure 4-13, click Enable to use a local user ID with the Administrator role for the storage system, in addition to LDAP authentication. If you enable the local Administrator role, then you can select one user ID with the Administrator role from the User Name menu on your DS8000.
    We strongly advise that you provide a local administrator as a fail-back solution if the LDAP environment becomes unavailable.


    As for IBM service users, the answer is: it depends.

    LDAP control extends to dsGUI however it does not apply to WUI nor remote support access via SSH.



    ------------------------------
    STEFAN LEHMANN
    ------------------------------



  • 3.  RE: DS8900 LDAP

    Posted Mon July 31, 2023 04:28 PM

    Hi both, 

    We have implemented LDAP on the WUI and it has been working well for us. We deleted the local accounts and replaced them with LDAP accounts with the required privileges for service users as well as customer users. The exceptions are local users: root and PE, which cannot be deleted, however, IBM have demonstrated that these users have additional controls to secure the accounts.

    Regards,

    Rohan



    ------------------------------
    Rohan Chauhan
    ------------------------------