This topic briefs about the additional points to consider when configuring the IBM AS/400 connector.
Using groups with IBM AS/400
The IBM AS/400 operating system does not have any concept of groups as discrete entities. Instead, an administrator creates a user profile which is used as a group profile. Other user profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema, while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick Connect mappings must be defined for users and groups to enable full user and group synchronization.
Optional IBM AS/400 account unlock during password reset function
You can optionally unlock a user's IBM AS/400 account at the same time as performing a password reset. This functionality is switched off by default and can be enabled by editing the connector's configuration file as follows:
-
Edit the <Program Files folder>\One Identity\Active Roles\7.4\SyncService\AS400Connector_ConnectorConfig.xml file.
-
Add the following lines just before the </ConnectorInfo> which appears on the last line of the file:
<SelfConfig> <EnableAccount>true</EnableAccount> </SelfConfig>
NOTE: Only the value true will enable the new functionality.
The LDAP password request sent to IBM AS/400 will then also include a request to modify the account status (os400-status=*ENABLED)).
The configuration file is read every time an LDAP connection is made to the IBM AS/400, so the new value will be picked up for the next set of synchronizations.
NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's IBM AS/400 account at the same time as performing a password reset in an earlier version of the connector for IBM AS/400, then you will need to repeat that edit after installing a later version.