Does the LDAP interface to the mainframe ACF2 database provide capability beyond administration and authorization within the LIDs database? Can CA LDAP Server be used for provisioning or authentication of RULES or resources in INFOSTG?

Document ID : KB000014547
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Does the LDAP interface to the mainframe ACF2 database provide capability beyond administration and authorization within the LIDs database? Can CA LDAP Server be used for provisioning or authentication of RULES or resources in INFOSTG? 

Answer:

The CA Web Administrator for ACF2™ (CA Web Administrator) provides comprehensive CA ACF2 administration in a browser-based graphical user interface. Administration functions include: 

- Create, copy, modify, and delete logon IDs
- Add and delete Data Set, Resource, and DB2 rule lines
- Delete rules
- Create, modify, and delete the following CA ACF2 records:

  CPF, Cache, Data Profile, DCO, Entry, GSO, LDS, Scope, Shift, XREF, and Zone

- Issue native CA ACF2 commands from a command line
- The interactive command compile is not supported. 

Note: CA Web Administrator does not support digital certificates or compiled data profile records. 

CA Identify Manager allows for ACF2 Password Synchronization and Password Management. 

CA LDAP Server Resource/Dataset Authorization Checks 

You can use a CA LDAP Server search operation to perform authorization checks against the CA ACF2 Security database. Two different authorization checks are available for you to perform: 

RESCHECK
RESDATA 

The authorization checks can be done through ldapsearch command from an application
or from OMVS. 

Details can be found in the CA LDAP Server Documentation: CA System z Security Communication Servers (DSI, LDAP, PAM) - 15.1 section: "Using the Search Operation to Perform Resource Checks".