| Author | Messages | |
james
Posts:0
 | | 10/08/2007 10:16 AM |
| Anyone hear ever attempted to integrate RACF and Active Directory in a
production environment?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:143
| | 10/08/2007 10:27 AM |
| Depends on what you mean by "integrate". Can you expand that?
On 10/8/07, James McGovern wrote:
Anyone hear ever attempted to integrate RACF and Active Directory in aproduction environment?
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx | | | |
| rboswell
Posts:20
| | 10/08/2007 12:13 PM |
| Do you mean "does anyone use LDAP(AD) for RACF user management and access
control"?
Richard Boswell | Senior Systems Engineer | Windows Server Engineering | Visa, Inc. | 12357-C Riata
Trace Pkwy, Austin, TX 78727 | Work - (512) 506-4643 | Cell - (512)
750-4583
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Monday, October 08, 2007 9:27 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] RACF and Active
Directory Integration
Depends on what you mean by "integrate". Can you expand that?
On 10/8/07, James
McGovern
wrote:
Anyone
hear ever attempted to integrate RACF and Active Directory in aproduction
environment?List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx | | | |
| RobertBobel
Posts:7
| | 10/24/2007 4:54 AM |
| AD to RACF (or Tuxedo or ACF2 if you're using it)…
or Top Secret.
Bob
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Al Mulnick
Sent: Wednesday, October 24, 2007 12:14 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RACF and Active Directory Integration
Robert raises a good
question. I started down that path of AD/RACF integration in the way you
described. As you can imagine, the MF's (you can read that any way you
like ;) were resistant to an upstart operating system/authentication
mechanism taking over for them. That was obstacle one. They weren't
very good at using TCP/IP from the mainframe. It was still a fairly new concept
to them. That was obstacle two. Both of those obstacles were easy
enough to overcome but the showstopper ended up being the 30+ years of security
group mess that we would have had to replace. There are vendors, Robert
works for a company that was working on something that would allow similar
reportedly, that can help to ease some of that pain, but the direction I took
was similar to what you mention - have AD be the authoritative source and have
RACF rely on AD for auth. Similar to the work that gets done with *nix
platforms right?
In the end, I wasn't able to over come the FUD in order to get them to into
production with the change over. They just wouldn't give it up and it was a tough
sell to overcome the financial objections to the cost of re-doing the
permissions. It would have been a tremendous amount of work to even
figure out their current state and make sense of it let alone convert it to
using the AD.
The products that can sync from AD to RACF (or Tuxedo or ACF2 if you're using
it) can offer a middle ground that takes the administrative pressure off by
reducing the number of touch points. But you're still left with some
legacy issues such as password length and many years of undocumented (as if
that would happen right?) group structures created by people who have long
since retired.
Does that help James?
On 10/24/07, James McGovern
wrote:
Integrate in the sense that they have discarded RACF's user store
and bound directly to Active Directory.
-----Original
Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]On
Behalf Of Al Mulnick
Sent: Monday, October 08, 2007 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RACF and Active Directory
Integration
Depends on what
you mean by "integrate". Can you expand that?
On 10/8/07, James McGovern
wrote:
Anyone hear ever attempted to integrate RACF and Active Directory in a
production environment?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| james
Posts:0
| | 10/24/2007 7:53 AM |
| Integrate in the sense that they have discarded RACF's user store and
bound directly to Active Directory.
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Al
MulnickSent: Monday, October 08, 2007 10:27 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] RACF and
Active Directory IntegrationDepends on what you mean by
"integrate". Can you expand that?
On 10/8/07, James
McGovern
wrote:
Anyone
hear ever attempted to integrate RACF and Active Directory in
aproduction environment?List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx | | | |
| RobertBobel
Posts:7
| | 10/24/2007 10:16 AM |
| Sync from AD to RACF is not an option?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of James McGovern
Sent: Wednesday, October 24, 2007 7:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RACF and Active Directory Integration
Integrate in the sense that they have discarded RACF's user store
and bound directly to Active Directory.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Al Mulnick
Sent: Monday, October 08, 2007 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RACF and Active Directory Integration
Depends on what you mean by
"integrate". Can you expand that?
On 10/8/07, James McGovern
wrote:
Anyone hear ever attempted to integrate RACF and Active Directory in a
production environment?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:143
| | 10/24/2007 12:13 PM |
| Robert raises a good question. I started down that path of AD/RACF integration in the way you described. As you can imagine, the MF's (you can read that any way you like ;) were resistant to an upstart operating system/authentication mechanism taking over for them. That was obstacle one. They weren't very good at using TCP/IP from the mainframe. It was still a fairly new concept to them. That was obstacle two. Both of those obstacles were easy enough to overcome but the showstopper ended up being the 30+ years of security group mess that we would have had to replace. There are vendors, Robert works for a company that was working on something that would allow similar reportedly, that can help to ease some of that pain, but the direction I took was similar to what you mention - have AD be the authoritative source and have RACF rely on AD for auth. Similar to the work that gets done with *nix platforms right?
In the end, I wasn't able to over come the FUD in order to get them to into production with the change over. They just wouldn't give it up and it was a tough sell to overcome the financial objections to the cost of re-doing the permissions. It would have been a tremendous amount of work to even figure out their current state and make sense of it let alone convert it to using the AD.
The products that can sync from AD to RACF (or Tuxedo or ACF2 if you're using it) can offer a middle ground that takes the administrative pressure off by reducing the number of touch points. But you're still left with some legacy issues such as password length and many years of undocumented (as if that would happen right?) group structures created by people who have long since retired.
Does that help James? On 10/24/07, James McGovern wrote:
Integrate in the sense that they have discarded RACF's user store and
bound directly to Active Directory.
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Al
MulnickSent: Monday, October 08, 2007 10:27 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] RACF and
Active Directory IntegrationDepends on what you mean by
"integrate". Can you expand that?
On 10/8/07, James
McGovern
wrote:
Anyone
hear ever attempted to integrate RACF and Active Directory in
aproduction environment?List info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ma/default.aspx | | | |
| james
Posts:0
| | 10/25/2007 7:50 AM |
| Adding a middle ground is an additional cost which we would like to
avoid. It is better to deal with the people aspects upfront...
Quoting Robert Bobel :
> AD to RACF (or Tuxedo or ACF2 if you're using it)...
>
> or Top Secret.
>
> Bob
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Wednesday, October 24, 2007 12:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] RACF and Active Directory Integration
>
> Robert raises a good question. I started down that path of AD/RACF
> integration in the way you described. As you can imagine, the MF's
> (you can read that any way you like ;) were resistant to an upstart
> operating system/authentication mechanism taking over for them.
> That was obstacle one. They weren't very good at using TCP/IP from
> the mainframe. It was still a fairly new concept to them. That was
> obstacle two. Both of those obstacles were easy enough to overcome
> but the showstopper ended up being the 30+ years of security group
> mess that we would have had to replace. There are vendors, Robert
> works for a company that was working on something that would allow
> similar reportedly, that can help to ease some of that pain, but the
> direction I took was similar to what you mention - have AD be the
> authoritative source and have RACF rely on AD for auth. Similar to
> the work that gets done with *nix platforms right?
>
> In the end, I wasn't able to over come the FUD in order to get them
> to into production with the change over. They just wouldn't give it
> up and it was a tough sell to overcome the financial objections to
> the cost of re-doing the permissions. It would have been a
> tremendous amount of work to even figure out their current state and
> make sense of it let alone convert it to using the AD.
>
> The products that can sync from AD to RACF (or Tuxedo or ACF2 if
> you're using it) can offer a middle ground that takes the
> administrative pressure off by reducing the number of touch points.
> But you're still left with some legacy issues such as password
> length and many years of undocumented (as if that would happen
> right?) group structures created by people who have long since
> retired.
>
> Does that help James?
> On 10/24/07, James McGovern
> > wrote:
> Integrate in the sense that they have discarded RACF's user store
> and bound directly to Active Directory.
> -----Original Message-----
> From:
> ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Al
> Mulnick
> Sent: Monday, October 08, 2007 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] RACF and Active Directory Integration
> Depends on what you mean by "integrate". Can you expand that?
> On 10/8/07, James McGovern
> > wrote:
>
> Anyone hear ever attempted to integrate RACF and Active Directory in a
> production environment?
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|