Re: I hate to ask -- VM passwords authenticated against AD?
I have most of the piece parts done (IUCV driver, PAM driver, Kerberos and LDAP interfaces, Linux guest to do the heavy lifting) to enable VM to use any authentication sources supported by PAM, including AD. The remaining part is the necessary CP modules to normalize all the entry points to CP into a documented interface that doesn't require rebuilding CP, then convincing IBM to either ship VM with the RACF interface modules prebuilt, plus a dummy RACF lite that implements the defaut defer behavior, or agree on what the external interface should be in terms of service access points and ship that. I'd actually donate the service code if IBM would accept it. As you might imagine, the last part is the hardest. If someone wants this badly enough to pay for it, then I can probably have a beta-ready version available in a month or so. -- db
Re: I hate to ask -- VM passwords authenticated against AD?
Amen, brother. In the late '90s, we (USAir before it became USAirways) decided to donate the device throttling code I had written. Donating it took longer than writing and testing it. However, they do have a mechanism for accepting code. I suspect that most of the time taken was by the respective legal departments. It certainly did not take me long to sign the Certificate of Authenticity, Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of David Boyes Sent: Wednesday, June 16, 2010 8:26 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: I hate to ask -- VM passwords authenticated against AD? I have most of the piece parts done (IUCV driver, PAM driver, Kerberos and LDAP interfaces, Linux guest to do the heavy lifting) to enable VM to use any authentication sources supported by PAM, including AD. The remaining part is the necessary CP modules to normalize all the entry points to CP into a documented interface that doesn't require rebuilding CP, then convincing IBM to either ship VM with the RACF interface modules prebuilt, plus a dummy RACF lite that implements the defaut defer behavior, or agree on what the external interface should be in terms of service access points and ship that. I'd actually donate the service code if IBM would accept it. As you might imagine, the last part is the hardest. If someone wants this badly enough to pay for it, then I can probably have a beta-ready version available in a month or so. -- db
Re: I hate to ask -- VM passwords authenticated against AD?
On Wednesday, 06/16/2010 at 01:05 EDT, Schuh, Richard rsc...@visa.com wrote: Amen, brother. In the late '90s, we (USAir before it became USAirways) decided to donate the device throttling code I had written. Donating it took longer than writing and testing it. However, they do have a mechanism for accepting code. I suspect that most of the time taken was by the respective legal departments. It certainly did not take me long to sign the Certificate of Authenticity, In this case, however, both IBM and CA offer products for sale in this space. I would rather see the requirement levied against the various ESMs to provide this function since that's where it logically belongs. Alan Altmark z/VM Development IBM Endicott
Re: I hate to ask -- VM passwords authenticated against AD?
In this case, however, both IBM and CA offer products for sale in this space. I would rather see the requirement levied against the various ESMs to provide this function since that's where it logically belongs. Alan Altmark z/VM Development IBM Endicott I'd make a counterargument that if IBM intends to position z/VM only as a Linux hosting environment, then the current setup that requires the user to have the skills to rebuild CP to enable an ESM (which Chuckie usually recommends) is highly user-hostile, and needs to be resolved at the CP layer, not in third-party products. Every ESM shouldn't have to invent the CP interface wheel. A cleaner, less intimately entwined, set of security interfaces would be good for everyone, including the IBM products, and with the enormous amount of work going into z/VM 6.next, this would be a good time to architect it in. The rest of the functionality (resolving userid validity, credential mapping, etc) are all user-space pieces, and I'd totally agree that that's where they belong -- in the ESM logic. But, that's the issue I mentioned. If there's consensus that this would be useful, and if IBM would consider adding it to z/VM, I'm willing to do the work. I just don't want to create Yet Another Way to do it, which perpetuates the current situation.
Re: I hate to ask -- VM passwords authenticated against AD?
On Wednesday, 06/16/2010 at 02:02 EDT, David Boyes dbo...@sinenomine.net wrote: I'd make a counterargument that if IBM intends to position z/VM only as a Linux hosting environment, then the current setup that requires the user to have the skills to rebuild CP to enable an ESM (which Chuckie usually recommends) is highly user-hostile, and needs to be resolved at the CP layer, not in third-party products. Every ESM shouldn't have to invent the CP interface wheel. A cleaner, less intimately entwined, set of security interfaces would be good for everyone, including the IBM products, and with the enormous amount of work going into z/VM 6.next, this would be a good time to architect it in. When building an ESM, you have some fairly complex challenges. At the top of the list, the ESM 1. Cannot be simply or easily circumvented (even by a sysadmin [as opposed to sysprog] ), 2. Must enforce a limited set of operations when the ESM server is down sufficient only to get the ESM server back up and running or to declare The ESM's dead, Jim. 3. Must recognize and differentiate system initialization activities from 'steady state' stuff 4. Must generally support the idea the CP is the enforcement point. Policy may be derived from a server, but CP is where the Real Decisions are made and where it is understood that, sometimes, the policy does not apply or is a Really Bad Idea in some cases. That's impossible to do if all the logic is in the server. If the complaint is that ESMs are too hard to install and/or configure, then people who feel that way should open requirements. Neither IBM nor CA need changes in the published CP-ESM interfaces to address such requirements. Alan Altmark z/VM Development IBM Endicott
Re: I hate to ask -- VM passwords authenticated against AD?
When building an ESM, you have some fairly complex challenges. At the top of the list, the ESM 1. Cannot be simply or easily circumvented (even by a sysadmin [as opposed to sysprog] ), 2. Must enforce a limited set of operations when the ESM server is down sufficient only to get the ESM server back up and running or to declare The ESM's dead, Jim. 3. Must recognize and differentiate system initialization activities from 'steady state' stuff 4. Must generally support the idea the CP is the enforcement point. Policy may be derived from a server, but CP is where the Real Decisions are made and where it is understood that, sometimes, the policy does not apply or is a Really Bad Idea in some cases. That's impossible to do if all the logic is in the server. Something tells me we're actually agreeing with each other but using different words. I'm not arguing against any of those points. I am arguing that the current implementation makes implementing code (both for the programmer and the user) that exploits the existing interfaces unnecessarily complex (and release dependent), thus increasing everybody's cost of operation and ownership. I'm arguing that we don't have to reinvent that consolidation piece to present a way to connect a ESM to CP. But, never mind. Just an idea. If somebody wants it, they'll holler. -- db
Re: I hate to ask -- VM passwords authenticated against AD?
Hopefully they won't take it and shelf it. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Wednesday, June 16, 2010 12:05 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: I hate to ask -- VM passwords authenticated against AD? Amen, brother. In the late '90s, we (USAir before it became USAirways) decided to donate the device throttling code I had written. Donating it took longer than writing and testing it. However, they do have a mechanism for accepting code. I suspect that most of the time taken was by the respective legal departments. It certainly did not take me long to sign the Certificate of Authenticity, Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of David Boyes Sent: Wednesday, June 16, 2010 8:26 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: I hate to ask -- VM passwords authenticated against AD? I have most of the piece parts done (IUCV driver, PAM driver, Kerberos and LDAP interfaces, Linux guest to do the heavy lifting) to enable VM to use any authentication sources supported by PAM, including AD. The remaining part is the necessary CP modules to normalize all the entry points to CP into a documented interface that doesn't require rebuilding CP, then convincing IBM to either ship VM with the RACF interface modules prebuilt, plus a dummy RACF lite that implements the defaut defer behavior, or agree on what the external interface should be in terms of service access points and ship that. I'd actually donate the service code if IBM would accept it. As you might imagine, the last part is the hardest. If someone wants this badly enough to pay for it, then I can probably have a beta-ready version available in a month or so. -- db == This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Re: I hate to ask -- VM passwords authenticated against AD?
They didn't. An improved version is in CP today. We were on VM ESA1.x or 2.x when the transaction took place. I do not remember when the throttling facility was first made available in CP. The developer in Endicott and I did have conversations about what I would do differently if I were doing it over and enhancements that could be made. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Ward, Mike S Sent: Wednesday, June 16, 2010 1:24 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: I hate to ask -- VM passwords authenticated against AD? Hopefully they won't take it and shelf it.
I hate to ask -- VM passwords authenticated against AD?
I'm no fan of AD, but I have to ask... Has anyone heard of a way to authenticate VM logon passwords against Active Directory? No RACF.. Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: I hate to ask -- VM passwords authenticated against AD?
On Tuesday, 06/15/2010 at 04:55 EDT, Lee Stewart lstewart.dsgr...@attglobal.net wrote: Has anyone heard of a way to authenticate VM logon passwords against Active Directory? No RACF.. I think we've talked about this before. None of commercially available ESMs do that, and the only way to implement such a capability is via the ESM interfaces. But when I dig further, what I really find is that they want the same password in AD as on z/VM. So then I suggest IBM Tivoli Directory Integrator and RACF. Using LDAP, it will synchronize the AD and RACF password. If you want free then you have to write your own ESM. That isn't, of course, free by any stretch of the imagination! Alan Altmark z/VM Development IBM Endicott