310 WebSphere Portal on z/OS
by RACF. Therefore, to verify that the native authentication is truly setup
correctly, you have to run a negative test.
Enter the User ID of a user that exists in RACF. Enter a wrong password and
attempt to login. You should not be successful. If you examine the system log
using z/OS System Display and Search Facility (SDSF) you should see a
message from RACF rejecting the authentication. That tells us that the userid
and password was passed on to RACF because of the special LDAP attribute,
namely ibm-nativeId, and indeed RACF performed the authentication check but
returned a failure.
That successfully demonstrates the setup and verification of Native
7.5.5 Tips for exporting RACF users to LDAP
Here we provide sample solutions to add RACF users to the LDAP database.
Accessing RACF via an LDAP browser
Users in RACF can be exported to an LDAP LDIF file by using an LDAP client.
For example we used a freely available LDAP Browser with an LDIF export
capability. To use the LDAP client and access RACF you need to sign on with the
following DN format: racfid=<userid>,profiletype=user,o=WASLRAC as shown
in Figure 7-21.
Figure 7-21 Accessing RACF via an LDAP client
Figure 7-22 on page 311 shows the LDAP client display of users in RACF.
Chapter 7. Portal security 311
Figure 7-22 RACF users displayed in an LDAP client
After using the LDAP client to export all the users to an LDIF file the format, the
partial contents of the file is shown in Example 7-4.
Example 7-4 Example of LDIF export from RACF
dn: racfid=ALEX,profiletype=USER, o=WASLRAC
dn: racfid=ALEX1,profiletype=USER, o=WASLRAC
dn: racfid=ALEX2,profiletype=USER, o=WASLRAC
dn: racfid=ALVAREZ,profiletype=USER, o=WASLRAC
dn: racfid=AMCHENG,profiletype=USER, o=WASLRAC
dn: racfid=ANDY,profiletype=USER, o=WASLRAC
312 WebSphere Portal on z/OS
dn: racfid=ANTOGNI,profiletype=USER, o=WASLRAC
dn: racfid=ANTONIO,profiletype=USER, o=WASLRAC
dn: racfid=ARDINI,profiletype=USER, o=WASLRAC
dn: racfid=ARMIGES,profiletype=USER, o=WASLRAC
This format, with a single line for each user is quite easy to modify using a variety
of tools. The only part we are interested in is the userid’s identified by field
racfid. We need to identify which users we do want to add to the Portal Server
LDAP for native authentication and discard all other users. A suggested way to
parse and modify the file are:
Use macros in a word processor
User macros in a spreadsheet
Use a script, for example REXX or UNIX shell
If the number of users is small, use an LDAP editor
The LDIF format exported needs to be parsed as suggested and converted into
the LDIF format used by Portal Server, with its required attributes. As an example
of this we added two users. CHEN and JAVA7 to an LDIF file, we called
NAUpdate.ldif as shown in Example 7-5. Note that the required format does not
use or need an attribute for the userpassword.
Example 7-5 NAUpdate.ldif, LDIF file for portal using native authentication
dn: uid=CHEN,cn=users, dc=ibm,dc=com
dn: uid=JAVA7,cn=users, dc=ibm,dc=com