Changing User Passwords Stored in an LDAP Server

There are various ways for Enterprise Server users to change passwords stored in an LDAP server. The Security Facility relays these requests to the security managers that are used to verify the user. Whether or not a password change request is honoured by a security manager depends on that manager and the security manager module that is used to connect to it.

When using the mldap_esm security manager, changing a user's password involves changing an attribute of the associated user object in the LDAP repository. This in turn requires that the mldap_esm security manager has write access to the repository. However, the mldap_esm security manager does not connect to the repository with the credentials of the user requesting the password change; it uses the authorized ID and password that are specified in the Edit Security Manager screen.

In order to enable the mldap_esm security manager to support the changing of user passwords, you need to modify the security manager definition to specify an authorized user ID and password that has write access to the Enterprise Server user objects within the LDAP repository. The ID and password combination that you supply should, of course, be secret. To perform this in ESCWA:

  1. In the top menu bar, click Security.

    This opens the Defined External Security Managers page.

  2. Select the definition that you want to edit by clicking edit icon at the end of the row.

    This opens the External Security Manager Configuration dialog box.

  3. In the Authorized ID field, supply the username used to bind to the LDAP server. The format for this is server-dependent, but is usually a Distinguished Name (DN).

    This user should have read access to the Enterprise Server user, group, and resource objects in the LDAP repository, and modify access to user definitions to support letting users change their passwords from ES, for example, from the CICS signon screen.

  4. In the Password field, type the password used to bind to the LDAP server.
    Note: You can use the Micro Focus Vault Facility to store a secret for the Authorized ID and Password fields. These fields can be specified using the forms:
    mfsecret:configuration-name:secret-path

    or:

    mfsecret::secret-path

    or:

    mfsecret:secret-path
  5. Click Save.
Note: When no authorized ID and password is specified in the security manager definition, the MLDAP ESM uses the user ID, CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local, the last two components can be changed by setting the base DN, which is the user object created for this purpose in the sample configuration, and the password mf_rdr to connect to the LDAP repository. Of course, as these values are well known, you should not give MFReader write permission to your LDAP repository.