Enabling MFDS Administration for LDAP and User Password Changes

By default, ES uses the MFReader account to connect to the LDAP server. As its name suggests, MFReader does not have authority to make changes to the repository, only to read from it.

You may want to configure your MLDAP Security Manager in MFDS with different LDAP user credentials (Authorized ID and Password), to give it update access to part or all of the repository. You can configure it with credentials for an administrative user, or create a new LDAP user (see Adding Repository Objects using ADSIEdit) and then set ACLs in the LDAP repository (using ADSIEdit or other Microsoft tools) to give that user write access to specific parts of the repository.

For example, if you have created an AD LDS user named "MFUpdate", you could give it write access to user objects by setting an ACL with the dsacls.exe AD LDS utility:

dsacls "\\localhost\CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data,DC=local" /I:S   /G "CN=MFUpdate,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local":WP

(Enter this command all on one line.)

You should not give the MFReader LDAP user write access to the repository, because its name and password are well-known. Configure your security manager to use a different account instead, and be careful to keep that account's password a secret. (If non-privileged users have access to the system where MFDS is running, it's a good idea to set ACLs on the MFDS configuration files so that they can only be read by the account MFDS runs under, which is usually SERVICE.)

If an ES/MSS region is configured to use a MLDAP Security Manager that has update access to user objects, then interactive MSS users will be able to set their passwords when they sign on to the system (using the CESN transaction, or another program that calls the EXEC CICS SIGNON interface). This is particularly useful if you make use of the password expiration date attribute (microfocus-MFDS-User-Pwd-ExpirationDate) to force users to change passwords periodically, since it gives them a way to do so. (Note that the MLDAP ESM Module does not currently provide any way to automatically set the expiration date; that has to be done using some other tool.)

If MFDS is configured to use an MLDAP Security Manager that has update access to the various ES objects in the LDAP repository, then you can use MFDS to administer those objects. From the Security page of the MFDS administration GUI, go to the Security Managers tab, edit the Security Manager you have defined for LDAP, and click its Properties button. From there, you can view and edit users, groups, and resource access controls.