Administering › Managing User Authentication › LDAP Authentication

LDAP Authentication

LDAP authentication lets you bring large numbers of nonmainframe users to view report data without your having to define all the users to your mainframe security system and/or to each CA View and CA Bundl repository.

Requirements

• Only Basic User type roles can use LDAP authentication

  Note: One exception is the LDAP Mainframe Hybrid Profile Object, which lets the LDAP credentials of a user to be the same as mainframe credentials to be passed to mainframe security.

• Users that authenticated through LDAP can view data from CA View and CA Bundl repositories, but cannot access data from CA Dispatch repositories.

  Note: For other role types, users must be mainframe authenticated users.

Profiles

• You define a single user mainframe user account and create a shared profile in CA OM Web Viewer so that many LDAP users can use that single user mainframe account.

  This mainframe user ID is basically a trusted account that is used as a proxy user for all the users who share a Profile.

  Therefore, you can let your existing LDAP system authenticate the users who share the single set of credentials for the repositories and or for mainframe security.

• We recommend that all Profiles refer to a set of mainframe security credentials, rather than repository level internal security credentials. This practice simplifies administration and usage.

  For example, it would be confusing to have the profile credentials expire at different times for different repositories.

• You can define more than one Profile if necessary.

  For example, you can have a different Profile for each Role you authenticate through LDAP. Each Profile can have access to different material. From the mainframe it can appear that the same Profile user is logged on many times. The Profile user might have 200 logins listed if 200 LDAP users share that profile.

Directories

• A role has an assigned Directory object so that members of that role can be authenticated using LDAP.

  Because the Basic User type Role can have an assigned Directory object, members of that Role can be authenticated using LDAP.

• Directories contain information which can be used to authentic users to CA Output Management Web Viewer.
• Only a System Administrator can create a Directory object, and this object defines:
  • The LDAP server and port
  • LDAP Base DN and password
  • LDAP Login attribute.
• If you do not want a user to use a Directory object, you can manually enter LDAP attributes into a role. LDAP bind settings are only available by creating a Directory object at Directory panel.