Set up a separate LDAP server and create a new set of objects – one per user – in the second directory.
The LDAP search filter would: (1) Find the user's object with the attribute and
(2) Find the attribute within the object that has the mainframe username.
Advantages:
-
The object is stable over time.
-
Using (in MSS), several options are available for searching the second LDAP directory and authorizing users to use automated sign-on:
-
Select UPN as the key to a secondary LDAP search filter.
-
Specify the LDAP attribute in the authenticating directory from which the UPN is obtained.
-
Select an LDAP attribute value in the authenticating directory as the key to a secondary LDAP search filter.
-
Select a literal value