Re: Active Directory from CMS
On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915
Re: Active Directory from CMS
Not likely since it's been out of support for 6 months. Pradip Pandya wrote: On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915 -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
Re: Active Directory from CMS
I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Both LDAP server and client implementations for VM OpenEdition have existed for quite some time.
Re: Active Directory from CMS
Hello Pradip Pandya, I can say NO. When I wanted to get PTF's for our z/VM 4.3 system to upgrade to our z890, I was told that they could not help me. I found them on IBMLINK and the like and ordered them via FTP, BUT IBM said NO to everything I wanted from them. I was out of service too. Ed Martin Aultman Health Foundation 330-588-4723 [EMAIL PROTECTED] ext. 40441 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Pradip Pandya Sent: Thursday, March 01, 2007 11:57 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Active Directory from CMS On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915
Re: Active Directory from CMS
On Thursday, 03/01/2007 at 11:57 EST, Pradip Pandya [EMAIL PROTECTED] wrote: I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Sorry, but no. 1. z/VM 4.4 is no longer supported 2. We rarely add new features to older releases. Typically we add only support for newer hardware. Alan Altmark z/VM Development IBM Endicott
Re: Active Directory from CMS
On Tue, 27 Feb 2007 09:54:19 -0800, Dave Wade [EMAIL PROTECTED] wrote: I wonder why you need two LDAP directories. AD is basically an LDAP directory. You use LDAP to access it like any other LDAP directory. As usual for MS it chooses to implement things in a different, but perfectly legal way. If you have multiple domains you may need to use other protocols to access. Dave = I wonder why, too. I did ask, but all I got was for historical reasons. This is a big shop that grew mostly by mergers and acquisitions. Some people listen to Microsoft and some people listen to Solaris and some people listen to the z/OS part of IBM and some people listen to the Tivol i part of IBM, etc. But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory.
Re: Active Directory from CMS
--- Alan Ackerman [EMAIL PROTECTED] wrote: On Tue, 27 Feb 2007 09:54:19 -0800, Dave Wade [EMAIL PROTECTED] wrote: I wonder why you need two LDAP directories. AD is basically an LDAP directory. You use LDAP to access it like any other LDAP directory. As usual for MS it chooses to implement things in a different, but perfectly legal way. If you have multiple domains you may need to use other protocols to access. Dave = I wonder why, too. I did ask, but all I got was for historical reasons. This is a big shop that grew mostly by mergers and acquisitions. Some people listen to Microsoft and some people listen to Solaris and some people listen to the z/OS part of IBM and some people listen to the Tivoli part of IBM, etc. But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. Alan, I havn't tried any of that, and I don't have any chance to. The Microsoft stuff I can build in a virtual PC using MS virtual PC or Virtual server. I can legally load the 90 day evals of W2003 and build an AD imported from the real directory. What I can't easily do is add a ring fenced zVM because it would have to run on the real mainframe. To get at that I would have to arrange connectivity for test traffic onto the data centre LAN and that might be real tricky. In fact I feel so faint at the thought of drawing up the change requests, I think I'll pour myself a beer, and go to bed. It is 30 after midnight here in the UK after all. However this is where a small test box which could be put on an isolated LAN would be oh so usefull, but as we have already noted IBM have killed PSI and FunSoft. Dave. Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know.
Re: Active Directory from CMS
On 2/27/07, Alan Ackerman [EMAIL PROTECTED] wrote: Has anyone been able to access the Microsoft Active Directory from CMS? (This is an alternative to My understanding is the AD is also just LDAP, but a particular layout of the various bits and pieces (like the topology of the tree and the name of attributes). You might also read up on winbind which is/was the part of Samba that talks to AD. One of the major challenges is that either side has unique attributes for a user/group (e.g. user number) and when there's only one place to register them, the other side has to make up these attributes. And next day you want it to make up the same attribute for that user (so he can still get at his stuff). I know essentially NOTHING about Active Directory. It's probably worth reading some introduction material on the Net. If nothing else, start at Wikipedia: http://en.wikipedia.org/wiki/Active_Directory I would not dare to encourage you going against company preferred API's. I remember the public key of the requester also needs to be in AD for it to verify the request. That rules out your other options. Unless you could have them put the key of your Linux Samba server in for authentication and have that server play proxy for your requests (so Linux would host a web page that authenticates through winbind against AD, and your CMS service doing a tcpclient call under the covers to that web page). Would be way more fun if you could just use ldapclient against the database. If so, I did start doing some plumbing for encode and decode of ASN.1 (the format of the LDAP protocol) and might be able to turn it into something working when we have an application at hand. Rob
Re: Active Directory from CMS
Has anyone been able to access the Microsoft Active Directory from CMS? The open-source LDAP client in OE is capable of browsing the AD tree (remember, AD is just LDAP and Kerberos 5 with a lot of pretty makeup), but the CMS Kerberos implementation is Kerberos 4 (and a really antique version of that). You would need a Linux guest to run the K4 to K5 translator, at which point, you'd be better off to write a CMS agent and implement the rest in Linux. If you went that route, then you could use any PAM-based authentication method, including AD. We would also need some other information that A ctive Directory possesses: the person's email address and person number. If you know their LDAP DN, then you could probably get the other fields. The problem will be getting the authentication in a reasonable way. I think I have an idea how to do it if the Linux guest is an OK intermediary...hmm. Let's discuss this offline.
Re: Active Directory from CMS
On Feb 27, 2007, at 7:12 AM, David Boyes wrote: (remember, AD is just LDAP and Kerberos 5 with a lot of pretty makeup), If you consider Tammy Faye Bakker pretty, I suppose. Adam
Re: Active Directory from CMS
--- Alan Ackerman [EMAIL PROTECTED] wrote: Has anyone been able to access the Microsoft Active Directory from CMS? (This is an alternative to the web services access to the Corporate LDAP Directory that I mentioned in my other append.) The idea would be to have people accessing my web server application have the ir userid pre-validated by their login to their PC. We would also need some other information that A ctive Directory possesses: the person's email address and person number. I know essentially NOTHING about Active Directory. I wonder why you need two LDAP directories. AD is basically an LDAP directory. You use LDAP to access it like any other LDAP directory. As usual for MS it chooses to implement things in a different, but perfectly legal way. If you have multiple domains you may need to use other protocols to access. Dave Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
Active Directory from CMS
Has anyone been able to access the Microsoft Active Directory from CMS? (This is an alternative to the web services access to the Corporate LDAP Directory that I mentioned in my other append.) The idea would be to have people accessing my web server application have the ir userid pre-validated by their login to their PC. We would also need some other information that A ctive Directory possesses: the person's email address and person number. I know essentially NOTHING about Active Directory.