298 WebSphere Portal on z/OS
For customers that already have their corporate users in an existing LDAP
registry on z/OS, for example Intranet users,.you can simply point to the existing
LDAP registry and make sure the LDAP is configured for Portal use.
7.5 z/OS LDAP Native Authentication
The native authentication feature uses LDAP with TDBM, and any of the V3
person type object classes, since they have the appropriate attributes for this
method of authentication. Portal Server still uses CUR and accesses LDAP for its
authentication step, but from a z/OS and OS/390 platform perspective the
authentication is actually performed by RACF using all its usual stringent rules.
From a management perspective there is no need for administration of multiple
registries or synchronization of passwords. Native authentication is implemented
through the addition of an LDAP attribute called
More importantly, from a WebSphere Portal perspective, RACF users and
non-RACF users can be defined in the same LDAP directory and portal users are
unaware of any differences from what is normally done to log into the portal.
7.5.1 The scenario
If all portal users are created from new, then all those userids will be created in
LDAP server as normal. More often than not, z/OS enterprises will have existing
users in RACF who need access to the portal along with the newly registered
external portal users. Therefore a mechanism is needed to be able to
authenticate using both LDAP and RACF.
7.5.2 The proposed solution
As was mentioned in Chapter 1, “Benefits of having WebSphere Portal on z/OS”
on page 16 one of the benefits of having the LDAP server running on the z/OS
system is that you can do native authentication. Native authentication allows
connection between the LDAP server and RACF wherein the userid and
password that is used to authenticate to LDAP is actually passed to the System
Security Server to be verified. This setup allows new internet or extranet portal
customers to authenticate directly against the LDAP server, while existing RACF
intranet users would be authenticated using their RACF userid and password.
The architecture at a high level is shown Figure 7-12 on page 299, where userid
java3 is also configured as the native-id attribute in LDAP, resulting in the
Attention: The z/OS LDAP Native Authentication setup is optional. This is not
a requirement for WebSphere Portal Server configuration and installation.