Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Active Roles Sync Service 8.2 - Administration Guide

Synchronization Service overview Deploying Synchronization Service Deploying Synchronization Service for use with AWS Managed Microsoft AD Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Additional considerations for an IBM AS/400 connection

This topic briefs about the additional points to consider when configuring the IBM AS/400 connector.

Using groups with IBM AS/400

The IBM AS/400 operating system does not have any concept of groups as discrete entities. Instead, an administrator creates a user profile which is used as a group profile. Other user profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema, while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick Connect mappings must be defined for users and groups to enable full user and group synchronization.

Optional IBM AS/400 account unlock during password reset function

You can optionally unlock a user's IBM AS/400 account at the same time as performing a password reset. This functionality is switched off by default and can be enabled by editing the connector's configuration file as follows:

  1. Edit the <Program Files folder>\One Identity\Active Roles\7.4\SyncService\AS400Connector_ConnectorConfig.xml file.

  2. Add the following lines just before the </ConnectorInfo> which appears on the last line of the file:

    <SelfConfig>
    <EnableAccount>true</EnableAccount>
    </SelfConfig>

    NOTE: Only the value true will enable the new functionality.

The LDAP password request sent to IBM AS/400 will then also include a request to modify the account status (os400-status=*ENABLED)).

The configuration file is read every time an LDAP connection is made to the IBM AS/400, so the new value will be picked up for the next set of synchronizations.

NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's IBM AS/400 account at the same time as performing a password reset in an earlier version of the connector for IBM AS/400, then you will need to repeat that edit after installing a later version.

Working with IBM RACF

To create a connection to IBM RACF connector, you need to use Synchronization Service in conjunction with a special connector called IBM RACF Connector. This connector is included in the Synchronization Service package.

The IBM RACF Connector supports the following features:

Table 51: IBM RACF Connector – Supported features

Feature

Supported

Bidirectional synchronization

Specifies whether you can both read and write data in the connected data system.

Yes

Delta processing mode

Specifies whether the connection can process only the data that has changed in the connected data system since the last synchronization operation. This reduces the overall synchronization duration.

No

Password synchronization

Specifies whether you can synchronize user passwords from an Active Directory (AD) domain to the connected data system.

Yes

Prerequisites
  • The IBM mainframe must have LDAP directory services installed and configured.

  • The IBM RACF connector can be installed on Microsoft Windows Server 2016 or later.

NOTE: There is an 8 character limit for user and group names on IBM RACF. The character limit is also applicable to the passwords on IBM RACF.

Creating an IBM RACF connection

To create a new connection

  1. In the Synchronization Service Console, open the Connections tab.
  2. Click Add connection, then use the following options:
    • Connection name: Type a descriptive name for the connection.
    • Use the specified connector: Select IBM RACF Connector.

  3. Click Next.

  4. On the Specify connection settings page, use the following options:
    • Server: Type the fully qualified DNS name of the IBM RACF server running the LDAP service. Type the fully qualified DNS name of the IBM RACF server running the LDAP service.

    • Port: Type the fully qualified DNS name of the IBM RACF server running the LDAP service.

    • User name: Specify the fully distinguished name (DN) of the account that the application will use to access the IBM RACF LDAP directory service

    • Password: Specify the password of the user account that the application will use to access the IBM RACF LDAP directory service.

    • To test the connection with the new parameters, click Test connection.
  5. Click Next.

  6. Click Finishto create a connection to IBM RACF connector.

Modifying an IBM RACF connection

To create a new connection

  1. In the Synchronization Service Console, open the Connections tab.
  2. Click Connection Settings below the existing IBM RACF connection you want to modify.

  3. On the Connection Settings tab, click Specify connection settings to expand it and use the following options.

    • Server: Type the fully qualified DNS name of the IBM RACF server running the LDAP service. Type the fully qualified DNS name of the IBM RACF server running the LDAP service.

    • Port: Type the fully qualified DNS name of the IBM RACF server running the LDAP service.

    • User name: Specify the fully distinguished name (DN) of the account that the application will use to access the IBM RACF LDAP directory service

    • Password: Specify the password of the user account that the application will use to access the IBM RACF LDAP directory service.

    • To test the connection with the new parameters, click Test connection.
  4. Click Save.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation