Management & Control Services (MCS) supports LDAP version 3 on specific directories to provide its user and group list. LDAP is supported for a limited number of LDAP-enabled directory service products—for this release, support is provided for Active Directory for Windows 2000, Netscape Directory 4.0, Novell NetWare 5.0 (LDAP Service for NDS), and IBM OS/390 LDAP Server (via RACF).
When you configure the LDAP server, you can leave the Password field blank if the server allows it. However, users of MCS-compatible products that are authenticated through MCS cannot use a blank password. |
The following sections outline requirements that are specific to each of the supported LDAP directory server types.
ID Type | Example |
---|---|
SAM account name | johnsmith |
User principal name | johnsmith@subdomain.mycompany.com |
Common name | John Smith |
LDAP distinguished name | CN=John Smith, CN=Users, DC=subdomain, DC=mycompany, DC=com |
MCS name with hierarchical path | /com/mycompany/subdomain/Users/John Smith |
ID Type | Example |
---|---|
User principal name | johnsmith@subdomain.mycompany.com |
Active Directory canonical name | /subdomain.mycompany.com/Users/John Smith |
Racfid=administrator, profiletype=user, sysplex=ADCDPL
Server settings
Address: Enter the address of your LDAP directory server.
Port: Enter the port of the server you are using. The default, 389, is the standard LDAP port.
Schema: Select the type of schema that corresponds with the LDAP directory server you are using. The default schema is Netscape 4.0.
Distinguished name: Enter a distinguished name of a user who has browse permissions for the selected directory server. A distinguished name is a unique name of an item in a directory service. The following is an example distinguished name in standard LDAP format:
uid=jsmith, ou=Payroll, o=Acme.com, c=US
See the specific requirements for each of the supported LDAP directory server types (above) for supported distinguished name formats.
Password: Enter the password for the user who has browse permissions for the selected directory server.
Apply: Click this button to update the Directory view list (to the right) to display the directory from the selected address.
Depending on the security settings of your directory, you may need to provide a valid distinguished name and password for a user who has browse permissions to the directory before you can view the directory. These credentials are used by the MCS server whenever it browses the directory.
Directory view: Provides a view of the directory list of the selected directory server.
Browse recipients from: Lets you use a subdirectory of the directory service for the MCS list of users and groups. The field is updated based on which directory is selected in the View list.
If you select the Active Directory schema, note that Active Directory computer accounts cannot be used for assigning MCS permissions.
If you select the RACF/OS 390 schema, it is recommended that you do not select the User or Group subdirectory, as this will limit you to assigning permissions only to the selected type; instead, you should select the sysplex-level directory. If you select "profiletype=User", for example, you will not be able to assign permissions to groups. |
OK: Click this button to save your LDAP server configuration settings.
Cancel: Click this button to close the Properties of LDAPv3 Directory page without saving any changes.
Configuring the Directory Service | |
Overview of MCS Security |