Can ACF2 send the SUSPEND field on the logonid record in LDS to Microsoft AD?
Article ID: 145510
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
How would a suspended LogonID on the ACF2 side be reflected in the AD environment? Is there an attribute that could be mapped in the LDS XREF record that could reflect the LogonID has been suspended on the ACF2 side that is passed down to AD?
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
Most fields on the logonid record can be sent through LDS. The logonid record contains some fields that are used internally by CA ACF2 processing and not modified directly by a security administrator or user. Logonid fields that are not inserted or modified by CA ACF2 command administration or by a user are not supported by LDAP and cannot be specified as an XREF field parameter. These fields include:
To specify the synchronization of the logonid record SUSPEND field in LDS, the XREF record should specify the
|
Description
|
|
|
ACC-CNT
|
Count of system accesses
|
|
ACC-DATE
|
Date of last system access
|
|
ACC-SRCE
|
Source of last system access
|
|
ACC-TIME
|
Time of last system access
|
|
CSDATE
|
Cancel/suspend/mon date
|
|
CSWHO
|
User with set cancel/suspend/mon
|
|
HOMENODE
|
Node where lid is stored
|
|
PRVPSWD1
|
Password history 1
|
|
PRVPSWD2
|
Password history 2
|
|
PRVPSWD3
|
Password history 3
|
|
PRVPSWD4
|
Password history 4
|
|
PRV-TOD1
|
Date/Time of PRVPSWD1
|
|
PRV-TOD2
|
Date/Time of PRVPSWD2
|
|
PRV-TOD3
|
Date/Time of PRVPSWD3
|
|
PRV-TOD4
|
Date/Time of PRVPSWD4
|
|
PSWD-SRC
|
Password source
|
|
PSWD-TIM
|
Password time
|
|
PSWD-TOD
|
Password time of date
|
|
PSWD-XTR
|
Halfway encrypted password flag
|
|
UPD-TOD
|
Date of update
|
To specify the synchronization of the logonid record SUSPEND field in LDS, the XREF record should specify the
LIDfield1/LDAPattribute1Name/LDAPattribute1FieldType/LDAPattribute1DataFormat). For the SUSPEND field the XREF record would look like XREF(
SUSPEND/LDAPattribute1Name/CHARACTER/YN), replace LDAPattribute1Name with an attribute in Microsoft AD.Additional Information
For additional information please see documentation on LDAP Directory Services.
Feedback
Yes
No
Powered by
