Provisionning Existing LogonIDs to synch with other system via ACF2-LDS

book

Article ID: 197796

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

Using ACF2 LDS to synchronize LogonIDs/passwrods from ACF2 to an AD platform.   Have thousands of existing LogonIDs on the ACF2 side that need to be synchronized over to AD.   Is there a way via ACF2-LDS to force an insert of the LogonID if it does NOT already exist on AD?    We tried manually defining a LogonID on the AD,  but when we change it on the ACF2 side, we get RC 20 (LDAP NO SUCH OBJECT) from LDS.   We cannot delete and redefine these existing LogonIDs so we need a way for LDS to insert them if they don't exist or another way on the AD side for the LogonIDs to be recognized by LDS if they are created on the AD side.   What does ACF2-LDS expect to see on the other LDS NODE for it to recognize a LogonID exists?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

ACF2 LDS formats LDAP add, modify or delete requests to remote LDAP compliant Director Servers. It is up to these Director Servers as to how to process these LDAP add, modify or delete requests and to determine how the LogonID would be processed on the target AD repository.

The Control LDS LDAP Record XREF records specify the names of the CA ACF2 logonid fields and the corresponding LDAP directory attributes to be synchronized to the LDAP directory for insert or change command processing. The XREF field must contain a valid mapping if INSERT or CHANGE is indicated on the LDAP record. If the logonid field mapping does not correspond to the LDAP directory attributes that of the logonids added manually on AD the RC 20 error will occur.

When a ACF2 logonid is changed LDS will format the LDAP modify request for that logonid based on the XREF mapping record, if the logonid does not exist in the AD repository the modify request will fail, so if you manually added the logonid in the AD repository, as long as the corresponding added logonid fields are defined in the XREF mapping record the modify should work.  When an ACF2 logonid is added LDS will format the LDAP add request for that logonid based on the XREF mapping record.