Option B. An authenticating directory plus a secondary directory

Conditions:

  • An LDAP directory is used to authenticate users.

  • Mainframe user names are stored on a separate LDAP directory that is not used for authentication.

Implementation scenario:

  1. Set up a separate LDAP server and create a new set of objects – one per user – in the second directory.

    The LDAP search filter would:

    (1) Find the user's object with the attribute and

    (2) Find the attribute within the object that has the mainframe user name.

    Advantages:

    • The object is stable over time.

    • Using Assign Access (in MSS), several options are available for searching the second LDAP directory and authorizing users to use automated sign-on:

      • Select UPN as the key to a secondary LDAP search filter.

      • Specify the LDAP attribute in the authenticating directory from which the UPN is obtained.

      • Select an LDAP attribute value in the authenticating directory as the key to a secondary LDAP search filter.

      • Select a literal value

    Disadvantage:

    • This scenario requires two LDAP directories.