By default the configured WebSphere Application Server for z/OS user registry is not queried as part of authentication. When the login module is configured for identity only, the user registry is queried. It is possible to override this default behavior by setting the curam.security.user.registry.enabled property. If this property is set to true the WebSphere Application Server for z/OS user registry will be queried during the authentication process, regardless of whether identity only authentication is enabled or disabled. If this property is set to false, the WebSphere Application Server for z/OS user registry will not be queried. For example, if curam.security.check.identity.only is set true and curam.security.user.registry.enabled is set to false, neither the Cúram authentication verifications nor the WebSphere Application Server for z/OS user registry will be used as part of the authentication process.
You can also control the authentication of types of external users (i.e. non-internal users) against the WebSphere Application Server for z/OS user registry via use of the curam.security.user.registry.enabled.types and/or the curam.security.user.registry.disabled.types properties. These properties specify a comma-delimited list of external user types that will, or will not be, authenticated via the WebSphere Application Server for z/OS user registry:
The precedence order in processing these three properties and the WebSphere Application Server for z/OS user or external (e.g. LDAP) registry is as follows:
See Set up the System JAAS Login Module for more information on setting the resultant properties in the CuramLoginModule configuration.