Administering CA Output Management Web Viewer › User Authentication › LDAP Authentication

LDAP Authentication

LDAP authentication allows you to bring large numbers of non-mainframe users into CA OM Web Viewer to view report data without your having to define all the users to your mainframe security system and/or to each CA View and CA Bundl repository.

Requirements

• Only Roles that are of the Basic User type can use LDAP authentication
• Users who were authenticated through LDAP can view data from CA View and CA Bundl repositories. but cannot access data from CA Dispatch repositories.

  Note: For other Role types, users are required to be mainframe authenticated users. For more information, see Role Types and Role Authentication.

Profiles

• You define a single user mainframe User account and create a shared Profile in CA OM Web Viewer so that many LDAP users can use that single user mainframe account.

  This mainframe user ID is basically a trusted account that is used as a proxy user for all the users who share a Profile.

  Therefore, you can let your existing LDAP system authenticate the users who will share the single set of credentials for the Repositories and or for mainframe security.

• We recommend that all Profiles refer to a set of mainframe security credentials, rather than repository level internal security credentials. This will greatly simplify administration and usage.

  For example, it would be very confusing to have your Profile’s credentials expire at different times for different Repositories

• You can define more than one Profile if the situation requires it.

  For example, you can have a different Profile for each Role you authenticate through LDAP. Each Profile can have access to different material.

• From the mainframe it will appear that the same Profile user is logged on many times. The Profile user might have 200 logins listed if 200 LDAP users share that profile.

  For more information about auditing and security, see Profile Security and Auditing.

Directories

• A Role has a Directory object assigned to it so that members of that Role can be authenticated using LDAP .

  Because the Basic User type Role can have a Directory object assigned to it, members of that Role can be authenticated using LDAP.

• Directories contain information which can be used to authentic users to CA Output Management Web Viewer.
• A Directory object, which can only be created by a System Administrator, defines:
  • The LDAP server and port
  • LDAP Base DN
  • LDAP Log in attribute

  For more information about these settings, see Directory Object - Directory Settings and Their Meanings.

• If you do not want to user a Directory object, you can manually enter LDAP attributes into a Role.

  For more information, see Setting the Role Authentication Method.