Changing User Passwords Stored in an LDAP

There are various ways for Enterprise Server users to change passwords stored in an LDAP. The Security Facility relays these requests to the security managers that are used to verify the user. Whether or not a password change request is honoured by a security manager depends on that manager and the security manager module that is used to connect to it.

When using the mldap_esm security manager, changing a user's password involves changing an attribute of the associated user object in the LDAP repository. This in turn requires that the mldap_esm security manager has write access to the repository. However, the mldap_esm security manager does not connect to the repository with the credentials of the user requesting the password change; it uses the authorized id and password that are specified in the Edit Security Manager screen.

In order to enable the mldap_esm security manager to support the changing of user passwords, you need to modify the security manager definition to specify an authorized user ID and password that has write access to the Enterprise Server user objects within the LDAP repository. The ID and password combination that you supply should, of course, be secret. To do this:

  1. Click Security under Configure on the menu on the left-hand side of an Enterprise Server Administration Web page.
  2. Click Security Managers.
  3. Select the definition that you want to edit by clicking the relevant radio button in the Select column.
  4. Click Edit.
  5. In the Authorized ID field, supply the username used to bind to the LDAP server. The format for this is server-dependent, but is usually a Distinguished Name.

    This user should have read access to the Enterprise Server user, group, and resource objects in the LDAP repository, and modify access to user definitions to support letting users change their passwords from ES (for example from the CICS signon screen).

  6. In the Password field specify the password used to bind to the LDAP server.
  7. Click OK.

When no authorized ID and password is specified in the security manager definition, the MLDAP ESM uses the user ID, CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local (though the last two components can be changed by setting the base DN), which is the user object created for this purpose in the sample configuration, and the password mf_rdr to connect to the LDAP repository. Of course, as these values are well known, you should not give MFReader write permission to your LDAP repository.