To create a new connection
- In the Synchronization Service Administration Console, open the Connections tab.
-
Click Add connection, and then use the following options:
- Click Next.
-
On the Specify connection settings page, use the following options:
- Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service.
- Port. Type the IBM AS/400 LDAP communication port number in use by the service.
- User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
- Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
- Test Connection. Click this button to verify the specified connection settings.
-
Click Next.
-
Click Finish to create a connection to the IBM AS/400 system.
To modify connection settings
- In the Synchronization Service Administration Console, open the Connections tab.
-
Click Connection Settings below the existing IBM AS/400 connection you want to modify.
-
On the Connection Settings tab, click the Specify connection settings item to expand it and use the following options and use the options they provide:
- Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service.
- Port. Type the IBM AS/400 LDAP communication port number in use by the service.
- User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
- Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
- Test Connection. Click this button to verify the specified connection settings.
-
Click Save.
This expandable item provides the following options that allow you to modify the connection settings:
- Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service. You can click Refresh to get a list of available servers.
- Port. Type the IBM AS/400 LDAP communication port number in use by the service.
- User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
- Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
- Test Connection. Click this button to verify the specified connection settings.
This topic briefs about the additional points to consider when configuring the IBM AS/400 connector.
Using groups with IBM AS/400
The IBM AS/400 operating system does not have any concept of groups as discrete entities. Instead, an administrator creates a user profile which is used as a group profile. Other user profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema, while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick Connect mappings must be defined for users and groups to enable full user and group synchronization.
Optional IBM AS/400 account unlock during password reset function
You can optionally unlock a user's IBM AS/400 account at the same time as performing a password reset. This functionality is switched off by default and can be enabled by editing the connector's configuration file as follows:
Edit the file:
<Program Files folder>\One Identity\Active Roles\7.4\SyncService\AS400Connector_ConnectorConfig.xml
and add the following lines just before the </ConnectorInfo> which appears on the last line of the file:
<SelfConfig>
<EnableAccount>true</EnableAccount>
</SelfConfig>
Only the value true will enable the new functionality.
The LDAP password request sent to IBM AS/400 will then also include a request to modify the account status (os400-status=*ENABLED)).
The configuration file is read every time an LDAP connection is made to the IBM AS/400, so the new value will be picked up for the next set of synchronizations.
NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's IBM AS/400 account at the same time as performing a password reset in an earlier version of the connector for IBM AS/400, then you will need to repeat that edit after installing a later version.